From 63f3637dc2dc3339e9ba258e8c26a70d01170fed Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Wed, 11 May 2022 19:07:03 +1200 Subject: [PATCH] ENH Ensure users are sent emails when passwords are changed by default. --- docs/en/04_Changelogs/4.11.0.md | 16 ++++++++++++++++ src/Security/Member.php | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/en/04_Changelogs/4.11.0.md b/docs/en/04_Changelogs/4.11.0.md index 68e01c834..4115ef90f 100644 --- a/docs/en/04_Changelogs/4.11.0.md +++ b/docs/en/04_Changelogs/4.11.0.md @@ -8,6 +8,7 @@ - [Upload and use WebP images in the CMS](#webp) - [Preview any DataObject in any admin section](#cms-preview) - [Allow-plugins configuration option in Composer versions 2.2.0 and up](#composer) + - [Users will recieve an email if their password is changed](#change-password-email) - [Other features](#other-features) - [Bugfixes](#bugfixes) - [Dependency and internal API changes](#dependency-internal-api-changes) @@ -89,6 +90,21 @@ SilverStripe\CMS\Model\SiteTree: New installations using `silverstripe/silverstripe-installer` and `silverstripe/recipe-kitchen-sink` from 4.11 onwards will have the above plugins added to the `allowed-plugins` configuration by default. - From July 2022 composer will no longer prompt to allow plugins when running `composer install`. This won't affect new installs using silverstripe/installer or silverstripe-recipe-kitchen-sink, but will affect other new projects, and existing projects where `allowed-plugins` hasn't yet been defined. In those cases developers will need to declare the allowed plugins manually in the project's `composer.json` file. +### Users will recieve an email if their password is changed {#change-password-email} + +The `SilverStripe\Security\Member.notify_password_change` configuration has been set to `true` by default - it used to be `false`. This means when a user changes their password on a project in "live" mode, they will recieve an email alerting them that their password was changed. The email includes a link to change their password again, so that users can recover their account in the event that someone else changed their password without their knowledge. + +This change was made to improve the default security of your projects, but if you do not want this behaviour you can disable it by setting the configuration to false: + +```yml +SilverStripe\Security\Member: + notify_password_change: false +``` + +The email content can also be changed by overriding the `SilverStripe\Control\Email\ChangePasswordEmail` template. + +Note that this configuration is already enabled by default in the `cwp/cwp-core` module. Projects which have that as a dependency won't experience any change in behaviour. + ### Other new features {#other-features} - A new [AbstractGridFieldComponent](https://api.silverstripe.org/4/SilverStripe/Forms/GridField/AbstractGridFieldComponent.html) class has been added to make it easier to globally add fundamental functionality to `GridFieldComponent`s. All classes packaged with the Silverstripe framework which implement the `GridFieldComponent` interface are subclasses of the new abstract class, making them all `Injectable`. Maintainers of third-party packages which include classes that implement `GridFieldComponent` are encouraged to subclass the `AbstractGridFieldComponent` abstract class. diff --git a/src/Security/Member.php b/src/Security/Member.php index 82a80c768..7f06edf13 100644 --- a/src/Security/Member.php +++ b/src/Security/Member.php @@ -106,7 +106,7 @@ class Member extends DataObject * @config * @var boolean */ - private static $notify_password_change = false; + private static $notify_password_change = true; /** * All searchable database columns