Resolve "Send a specific `Password changed by Admin` email when an admin resets the password of another user"
What does this MR do?
For #27284 (closed)
By default, Devise triggers a 'Password changed' email, whenever the password of a user is changed, using model callbacks.
Since these are triggered using callbacks, the same email is triggered even if an admin changes the password of another user.
This MR sends out a specific "Password changed by administrator" email to the user, when a GitLab administrator changes their password via the API/UI.
The usual, Devise's default "Password changed" email will not be triggered in this case (to avoid triggering 2 different emails for the same event)
Note: Usage in Rails console
While sending the right email in cases where admin updates the password of users from UI or API are taken care of automatically, when a GitLab admin changes the password of a user from the Rails console, a one-liner needs to be explicitly run to send out the Admin changed your password
email in place of the default Password changed
email. So like,
user = User.find_by(email: 'hello@example.com')
user.send_only_admin_changed_your_password_notification! # this line needs to be explicitly run to send the `Admin changed your password` email notification.
user.password = user.password_confirmation = 'new_password'
user.save!
Screenshots
HTML email
Text email
(For reference) : The default Devise 'Password changed' email, which is not triggered anymore when an admin changes password of another user.
Note: The above email will still be triggered when users change their own passwords.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team