Access request emails should send with recipients in BCC, not To
Zendesk: https://gitlab.zendesk.com/agent/tickets/36392
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/21646
The request access feature sends an email to all group masters and owners, with addresses in the To: field. In the case of one customer, the group contained over 5,000 such owners and masters. They all received an email with all addresses in the To: field. It's not that nice to share everyone's email addresses like that.
Proposal
- Only send the access request email to group Owners. Maintainers shouldn't get the access request notification.
- Use a To: in the email and move all notified Owners to BCC. If we don't have a good To: email option, I suggest
Gitlab::CurrentSettings.admin_notification_email
. - Limit the number of Owners contacted to 10, sending to the most recently active users in the group.
cc/ @DouweM What do you think?
Edited by Jeremy Watson (ex-GitLab)