add notification by email when an admin logs in from a new IP address. #1027
Conversation
There was a problem hiding this comment.
A few comments after a quick skim-through the changed files
-
Should all fields on the new
admin_logintable be "not null"? -
Should the detection of a new IP address be on a per-admin basis, i.e. a new IP address for that particular admin?
-
The sending of a notification of login from a new IP address seems confusing. The function sendAdminCopy() doesn't return success/failure but even if it did, it tries to send to the
getConfig('admin_address')address, so there is no point in trying to send a further email to the same address if that failed. -
I'm not sure that using
sendAdminCopy()is appropriate though. It is described as "Send notifications about subscribe, update and unsubscribe". Maybe just send to the affected admin and also the system owner. -
Using empty() is often unnecessary, e.g. this can be simply
if (!$enabled)
$enabled = getConfig('notify_admin_login');
if (empty($enabled)) {
return;
}
- There might be a need to view the contents of the admin_login table, otherwise would need to use a tool like phpmyadmin.
- The admin_login table won't exist until an upgrade is performed, so all the uses of the table are going to fail.
Yes, good point, have added that.
Yes, absolutely, that was an oversight.
Yes, I agree, I'll change that.
Well, that's kind of cosmetic.
Yes, one to add at some point. There are more things we don't show in the UI, like the blacklist table.
Yes, I'll check that it won't block stuff like login, that would be bad. |
… just to admin, or superuser
|
OK, I've made sure it doesn't break on a non-upgraded system. I tried it and in fact, it allows you to login, but then kicks you our immediately. I've also updated the sending of the alert. I'm not actually sure if "sendEmail" returns success or failure, but if it doesn't that would be good to change. So, the second bit may never kick in, but we can review that later. |
It didn't happen for me, and you don't want that to happen otherwise the database cannot be upgraded. One further small comment, the layout of the email is a bit untidy possibly due to line-wrapping |
|
Yes, the email content layout is really strange. The first one is slightly wonky, but any subsequent one is even worse
I'll try to figure out why, but sometimes life's too short .... |
|
Ah, the culprit is https://github.com/phpList/phplist3/blob/main/public_html/lists/admin/languages.php#L385 Not sure why we're stripping newlines out there. I wonder what effect it has to remove that. |
|
Ok, I've taken out the stripping of newlines. That should not matter for any other texts, as HTML ignores them anyway, so I think there's no issue with that. Also, reformatted the message a little to avoid line wrapping |
|
I think this is ready to merge |
* Translations for 3.6.15 (#1032) * Translated using Weblate (English) Currently translated at 91.4% (1950 of 2132 strings) Translation: phpList/phpList3 Translate-URL: http://translate.phplist.org/projects/phplist/phplist3/en/ * Translated using Weblate (French) Currently translated at 99.8% (2128 of 2132 strings) Translation: phpList/phpList3 Translate-URL: http://translate.phplist.org/projects/phplist/phplist3/fr/ --------- Co-authored-by: Duncan Cameron <[email protected]> Co-authored-by: Alain Rihs <[email protected]> * Support for indicating and getting feedback for e-mail test messages (#1031) * Update sendemaillib.php 1. Appended a test subject indicator to test messages 1. Added a reply-to address to test messages that have no manual reply-to: using the logged in admin's address or at least the general admin's * Update sendemaillib.php Rephrased variable name * Update sendemaillib.php Switched to using $admin_auth * Allowing subscribers to be filtered by confirmed and/or blacklisted (#1030) * Update users.php Allowed to filter by confirmed and/or non blacklisted - and not just by unconfirmed and/or blacklisted * Changed users to subscribers * Bouncemgt - allowing processing only existing bounces + a related new rule action (#1028) * Update bouncemgt.php Added &justexisting=true * Update processbounces.php 1. Added support for &justexisting=true 1. Added support for new bounce rule action * Update lib.php Added support for new bounce action * Update bouncemgt.php Added non default title (otherwise it takes the wrong one) * Update processbounces.php 1. Replaced goto with if-else 1. Hardcoded "-1" instead of supplying it in a sprintf value * Hardcoding defaults for older PHP versions * Removed modern solution * Update Common plugin and Segment plugin (#1024) * Define timestamp columns explicitly (#1019) * Define timestamp fields explicitly to avoid problem with the mysql setting explicit_defaults_for_timestamp * Remove setting of timestamp fields that are automatically updated * update CI to remove old PHP versions and add 8.3 (#1004) * Escape single quote in error message (#1003) * Allow ajax page links to have a title, defaulting to the link description (#1002) Fixes #996 * Update CONTRIBUTING.md (#994) Removed obsolete references * update UUID class to the latest upstream (#990) * update UUID class to the latest upstream * clean up old files * use the list order, even when grouping by category (#1025) * restore ability to create other super users (#1014) * restore ability to create other super users * correctly initialise the privileges array * Bounces' subscriber' status indicator + allowing to confirm right from bounces (#1029) * Update listbounces.php Added support for confirmed/blacklisted indicator * Update bounces.php Added confirmed/blacklisted indicator * Update bounce.php 1. Added confirmed/blacklisted indicator 1. Added support for confirming user from a bounce * Update bounce.php 1. Avoided ternary if because translation system doesn't support it 1. Used the newer s() function * Update listbounces.php Added curly brackets * Used potential translation * Php8fixes 202401 (#1026) * remove deprecated ini_set call * stop possible warning * avoid warning * avoid warning * cast to int * avoid warning on existing being null * force template to be an integer * suppress warnings * check on valid var and cast to int * give buttons an ID, so they can be targetted with testing * avoid warning on empty array index * add notification by email when an admin logs in from a new IP address. (#1027) * add notification by email when an admin logs in from a new IP address. * check IP per admin * force columns to be not null * prevent blocking login on an non-upgraded system and send login alert just to admin, or superuser * keep newlines in translation as they are * make shorter lines, so it renders a bit better * Remove redundant upgrade steps (#1020) * Remove steps that are unnecessary due to the 3.2.0 being the minimum upgrade version * Keep silent when there are no subscriber UUIDs to generate * Remove other unnecessary upgrade steps --------- Co-authored-by: Michiel Dethmers <[email protected]> * Use utf8mb4 for the connection etc (#1001) * Use utf8mb4 for the connection etc * Support utf8mb4 in campaign subject and content --------- Co-authored-by: Michiel Dethmers <[email protected]> * use PHP8.2 to build * use latest phplint * update docker build from bookworm * set version * avoid the admin being kicked out after upgrade (#1033) * mark update translations as @wip --------- Co-authored-by: Duncan Cameron <[email protected]> Co-authored-by: Alain Rihs <[email protected]> Co-authored-by: lwcorp <[email protected]> Co-authored-by: Duncan Cameron <[email protected]> Co-authored-by: Michiel Dethmers <[email protected]>
|
Hello, Upgraded to version 3.6.15 and it seems this feature is creating side effect on API connection with a superuser.
|
You might have the same problem as described here #1038 (comment) A work-around is to rename or delete the |
Description
This does two things.
Related Issue
Screenshots (if appropriate):