Resolve "Send a specific `Password changed by Admin` email when an admin resets the password of another user" (!40342) · Merge requests · GitLab.org / GitLab

Manoj M J [On PTO] requested to merge 27284-indicate-that-password-reset-was-initiated-by-an-admin-when-an-admin-resets-a-user-password into master Aug 25, 2020

What does this MR do?

For #27284 (closed)

By default, Devise triggers a 'Password changed' email, whenever the password of a user is changed, using model callbacks.

Since these are triggered using callbacks, the same email is triggered even if an admin changes the password of another user.

This MR sends out a specific "Password changed by administrator" email to the user, when a GitLab administrator changes their password via the API/UI.

The usual, Devise's default "Password changed" email will not be triggered in this case (to avoid triggering 2 different emails for the same event)

Note: Usage in Rails console

While sending the right email in cases where admin updates the password of users from UI or API are taken care of automatically, when a GitLab admin changes the password of a user from the Rails console, a one-liner needs to be explicitly run to send out the Admin changed your password email in place of the default Password changed email. So like,

  user = User.find_by(email: 'hello@example.com')
  user.send_only_admin_changed_your_password_notification! # this line needs to be explicitly run to send the `Admin changed your password` email notification.
  user.password = user.password_confirmation = 'new_password'
  user.save!

Screenshots

HTML email

Text email

(For reference) : The default Devise 'Password changed' email, which is not triggered anymore when an admin changes password of another user.

Note: The above email will still be triggered when users change their own passwords.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Aug 28, 2020 by Manoj M J [On PTO]

Resolve "Send a specific `Password changed by Admin` email when an admin resets the password of another user"