From fd40eef2d3220bb0a56d8e3d4da57bc4460d859f Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Thu, 26 Feb 2026 10:45:47 +0530 Subject: [PATCH] fix(user): send mail to user to indicate that their password has been updated Send an e-mail to user to indicate that their password has been changed, fixes a security flaw where user would just be logged out and have no clue as to what occurred Co-authored-by: Ankush Menat --- frappe/core/doctype/user/user.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py index b1831d59f9..8e65573474 100644 --- a/frappe/core/doctype/user/user.py +++ b/frappe/core/doctype/user/user.py @@ -376,9 +376,23 @@ class User(Document): toggle_notifications(self.name, enable=cint(self.enabled), ignore_permissions=True) self.disable_email_fields_if_user_disabled() - def email_new_password(self, new_password=None): + def set_new_password(self, new_password=None): + """Set New Password for user""" if new_password and not self.flags.in_insert: _update_password(user=self.name, pwd=new_password, logout_all_sessions=self.logout_all_sessions) + outgoing_email_exists = frappe.db.exists( + "Email Account", {"default_outgoing": 1, "awaiting_password": 0} + ) + if outgoing_email_exists: + email_message = _( + "Your password has been changed and you might have been logged out of all systems.
Please contact the Administrator for further assistance." + ) + user_email = frappe.db.get_value("User", self.name, "email") + frappe.sendmail( + recipients=[user_email], + subject=_("Security Alert: Your password has been changed."), + content=email_message, + ) def set_system_user(self): """For the standard users like admin and guest, the user type is fixed.""" @@ -451,7 +465,7 @@ class User(Document): msgprint(_("Welcome email sent")) return else: - self.email_new_password(new_password) + self.set_new_password(new_password) except frappe.OutgoingEmailError: frappe.clear_last_message()