Bug: mails are sent to disabled users

Forum - Software
1

What version of eramba you are using (System / About)

3.25.1

A brief explanation of the issue

Notification mails get sent to users that are disabled. We only send to groups, so it’s is currently unclear if this is a general bug or only for notifications sent to groups. When an employee leaves the company, we disable the account and leave it as it was to remain the audit trail. We could remove that user from all groups to avoid the user still receiving mails via groups but the described behaviour is unexpected and unseen in other software. A disabled user should not only be prohibited from logging in but also from getting notifications.

What steps, one by one, including screenshots if needed, we must follow in order to reproduce the issue

  • create a user
  • add that user to a group
  • disable that user
  • trigger an action that sends a notification email to that group
  • the user will receive the email
2

phew, top bug documentation

3

top bug documentation in → top bug resolution out :smiley:

1 Like
4

I think this would bug me

2 Likes
5

Int. ref.: https://github.com/eramba/eramba/issues/5011

1 Like
7

This is still not fixed, although it is quite an easy implementation. When can we expect this to be fixed? In my book sending notifications with details to disabled users is a CWE-200 vulnerability - so rather problematic instead of a mere minor issue that exists 1,5 years after it was reported. Especially considering this is a GRC/security relevant tool.

8

This was fixed in release 3.27.0

I tested right now on 3.29.1 and it works fine; no email is generated when the user is disabled.

Notification runs as expected but no email is sent, and there’s no entry in queue emails.

image
image1144×733 45.6 KB

Happy to take a look again if I am missing something :slightly_smiling_face:

9

We are on 3.29.1 and mails are still sent to disabled users. I assume you have tested this with a local user? In our setup we use SAML - maybe the bug still exists for non-local users?

image
image595×277 18.6 KB

Here’s the disabled user. In order for him not to receive the mails anymore, I implemented a workaround by suffixing the email address with a “.DISABLED”.

image
image746×929 46.8 KB

And here’s a notification sent for a policy review comment. As you can see the user is part of the recipients.

image
image696×180 8.93 KB

Here’s how the notification is set up:

image
image468×621 23.7 KB

image
image972×442 21.3 KB

1 Like
10

I tested both types with non-local recipients and got the same result, but I figured out what I was doing differently. I was using the group directly as the recipient. I managed to reproduce it when using custom roles, so this definitely needs to be fixed.

internal ref:Jira

2 Likes
11

Thanks, I’m glad it wasn’t just me :slight_smile: