#5351 closed enhancement (fixed)
Plugin Security - Notify plugin committers when a new committer is added
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Plugin Directory | Keywords: | |
Cc: |
Description
To ensure that plugin authors are aware of what's happening with the plugin they're a committer for, we should email existing committers when a new committer is added to a plugin they're a committer for.
The list of committers for a plugin is fairly hidden, and unless an author was to actually look at the list, it's impossible to know that another user has been added until they receive a commit notification.
This would primarily prevent a compromised account being used to add a committer.
Suggested Email that needs some wording work:
From: WordPress Plugins <plugins@...> Subject: New Committer added to {$plugin_name} G'Day {$user_login}! {$new_committer} has been added as a committer to {$plugin_name} by {$committer_who_added_user}. The following people now have write-access to {$plugin_name}: * {$me} * {$myself} * {$you} You can manage this list at {$url}. If you believe this was in error or didn't perform this action yourself, please contact the Plugins Team immediately and ensure that your password is secure. -- WordPress Plugins Team
Change History (9)
#2
in reply to:
↑ 1
@
5 years ago
Replying to Ipstenu:
- adding new 'support' people
- changing plugin OWNER
Yep! That sounds reasonable enough.
And can we auto-NOT email people if the action was done by a plugin admin?
Oh I agree on that front :)
They shouldn't get a new-committer email post-approval when the approval process adds them as a committer either.
#3
@
5 years ago
changing plugin OWNER
Turns out we already have this when it happens via the self-serve tooling:
I AM FOR THIS.
Can we also do it for the following:
(And can we auto-NOT email people if the action was done by a plugin admin? We move things around to fix 'em on the QT for folks and that would be a lot of noise).