Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(admin): set primary email after recovery complete #16516

Merged
merged 7 commits into from
Aug 20, 2024
Merged

feat(admin): set primary email after recovery complete #16516

merged 7 commits into from
Aug 20, 2024

Conversation

miketheman
Copy link
Member

@miketheman miketheman commented Aug 19, 2024
edited
Loading

If the Account Recovery process has an alternate email that is to be used during the process, 'activate' it at the end once completed.

Resolves #16401

@miketheman
feat(admin): set primary email after recovery complete
358ece9 
If the Account Recovery process has an email that is to be used during
the process, 'activate' it at the end once completed.

Resolves pypi#16401
@miketheman miketheman added admin Features needed for the Admin UI (people running the site) email Related to emails labels Aug 19, 2024
@miketheman miketheman requested a review from a team as a code owner August 19, 2024 20:13
@ewdurbin
Copy link
Member

I think this fits the need. One thought that I hadn't really considered is if we should skip password/2FA reset in these conditions. My understanding is that generally this state occurs when someone has their password/2FA but has lost access to the original primary email address.

@Thespi-Brain, do you have any input here?

@Thespi-Brain
Copy link

@ewdurbin I think we should still keep the password/2FA reset because there have been cases where 2FA was not set up in addition to the user not having access to their original primary email address. It's also nice to have a "clean" reset for due diligence and security.

ewdurbin
ewdurbin approved these changes Aug 20, 2024
View reviewed changes
Copy link
Member

@ewdurbin ewdurbin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Thespi-Brain I am assuming that for situations where users still control their password/2FA, we will update their email address without the account recovery process leading to resetting password/2FA. If so this is good to go.

@Thespi-Brain
Copy link

Thespi-Brain commented Aug 20, 2024
edited
Loading

@ewdurbin Yes, we don't go through the account recovery process for an email update if the user doesn't have any existing projects.

@miketheman miketheman merged commit a66646d into pypi:main Aug 20, 2024
18 checks passed
@miketheman miketheman deleted the miketheman/set-primary-email-on-completion branch August 20, 2024 20:37
@Thespi-Brain Thespi-Brain mentioned this pull request Sep 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees
No one assigned
Labels
admin Features needed for the Admin UI (people running the site) email Related to emails
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

"Start Account Recovery" Process Doesn't Update to Alternate Email Address
3 participants
@miketheman @ewdurbin @Thespi-Brain