#5351 closed enhancement (fixed)
Plugin Security - Notify plugin committers when a new committer is added
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Component: | Plugin Directory | Keywords: | |
| Cc: |
Description
To ensure that plugin authors are aware of what's happening with the plugin they're a committer for, we should email existing committers when a new committer is added to a plugin they're a committer for.
The list of committers for a plugin is fairly hidden, and unless an author was to actually look at the list, it's impossible to know that another user has been added until they receive a commit notification.
This would primarily prevent a compromised account being used to add a committer.
Suggested Email that needs some wording work:
From: WordPress Plugins <plugins@...>
Subject: New Committer added to {$plugin_name}
G'Day {$user_login}!
{$new_committer} has been added as a committer to {$plugin_name} by {$committer_who_added_user}.
The following people now have write-access to {$plugin_name}:
* {$me}
* {$myself}
* {$you}
You can manage this list at {$url}.
If you believe this was in error or didn't perform this action yourself,
please contact the Plugins Team immediately and ensure that your password is secure.
-- WordPress Plugins Team
Change History (9)
#2
in reply to:
↑ 1
@
4 years ago
Replying to Ipstenu:
- adding new 'support' people
- changing plugin OWNER
Yep! That sounds reasonable enough.
And can we auto-NOT email people if the action was done by a plugin admin?
Oh I agree on that front :)
They shouldn't get a new-committer email post-approval when the approval process adds them as a committer either.
#3
@
4 years ago
changing plugin OWNER
Turns out we already have this when it happens via the self-serve tooling:
I AM FOR THIS.
Can we also do it for the following:
(And can we auto-NOT email people if the action was done by a plugin admin? We move things around to fix 'em on the QT for folks and that would be a lot of noise).