Ticket #42 (closed enhancement: fixed)

Opened 9 years ago

Last modified 8 years ago

Add user-scheduled quarantine summary digests

Reported by: rjl Owned by: dmorton
Priority: normal Milestone: 1.0.0
Component: PHP scripts Version: 1.0.0 RC5
Severity: normal Keywords: quarantine summary digest e-mail schedule
Cc:

Description

With this feature, users can specify thresholds (time, count, size) at which an e-mail is sent to them to notify them about the contents of their quarantines. These e-mails would contain the sender's name and e-mail address, the subject line, and a clickable token that uniquely identifies the e-mail in Maia's database. Clicking on that link would open up Maia's mail viewer with that e-mail, so that the user can act on the mail immediately without having to login to Maia separately.

The e-mail itself would likely be HTML-based, and the tokens would be MD5 hashes unique to the tuple of mail ID and recipient ID, so that a login is not necessary to authenticate the user.

Change History

Changed 8 years ago by dmorton

  • owner changed from rjl to anonymous
  • status changed from new to assigned

I will be working on this next week...

Changed 8 years ago by dmorton

  • owner changed from anonymous to dmorton
  • status changed from assigned to new

Changed 8 years ago by dmorton

  • status changed from new to assigned

Changed 8 years ago by anonymous

The token needs to include some random data, so that the sender of a message cannot guess the token.

I am making this so that the token authenticates the user (and changes the user's session if it doesn't match the token user). Unless someone intercepts the email, this is more secure than the email password. (And if someone interecpts this email, you have a much bigger problem)

A future idea may be to allow for a pgp key to encrypt this message, for the paranoid.

I am implementing this by adding a token field to the maia_mail_recipients table, and some config values for the digest period. If the user is not logged in, it passes through the xlogin process to set up the session, and then control is passed back to the right page. This adds a useful redirection feature to index.php, too.

Changed 8 years ago by dmorton

also, since links like "confirm all" don't have a particular record to match a token, a new table needs to be added to store a temporary token. This table will be usefull for some other authentication mechanisms too.

These tokens will be designed to be short-lived, and probably one-time use only.

Changed 8 years ago by dmorton

See [731] and [732] for implementation so far.

Changed 8 years ago by dmorton

  • status changed from assigned to closed
  • resolution set to fixed

CLosing ticket with changesets: [733][734][735][736][740][741][742][743][744][745][746]

Database schema changes:

added token and unique index to maia_mail_recipients added quarantine_digest_interval and last_digest_sent to maia_users added maia_tokens table

Added new maintenance file: send-quarantine-digests.pl Added new template file: digest.tpl

Once a token is used to confirm/release a message, or all messages, that token is invalidated. Also, tokens are invalidated by the normal message expiry interval.

I'm using a random generator instead of an md5 sum, as it is less predictable, and has more token space available.

Installations will probably want to customize digest.tpl to fit their own design.

Note: See TracTickets for help on using tickets.