From a2551db6902b9cabae50ff322cdf8b7156c5d580 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@ctfd.io>
Date: Mon, 20 Jan 2020 23:05:44 -0500
Subject: [PATCH] Add a password change notification email (#1221)

* Adds an email notification for password resets
---
 CTFd/auth.py                 |  1 +
 CTFd/utils/email/__init__.py | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/CTFd/auth.py b/CTFd/auth.py
index 99bb4621..7829ff16 100644
--- a/CTFd/auth.py
+++ b/CTFd/auth.py
@@ -135,6 +135,7 @@ def reset_password(data=None):
                 name=user.name,
             )
             db.session.close()
+            email.password_change_alert(user.email)
             return redirect(url_for("auth.login"))
 
     if request.method == "POST":
diff --git a/CTFd/utils/email/__init__.py b/CTFd/utils/email/__init__.py
index 52e543fc..428515bd 100644
--- a/CTFd/utils/email/__init__.py
+++ b/CTFd/utils/email/__init__.py
@@ -16,6 +16,17 @@ def sendmail(addr, text, subject="Message from {ctf_name}"):
     return False, "No mail settings configured"
 
 
+def password_change_alert(email):
+    ctf_name = get_config("ctf_name")
+    text = (
+        "Your password for {ctf_name} has been changed.\n\n"
+        "If you didn't request a password change you can reset your password here: {url}"
+    ).format(ctf_name=ctf_name, url=url_for("auth.reset_password", _external=True))
+
+    subject = "Password Change Confirmation for {ctf_name}".format(ctf_name=ctf_name)
+    return sendmail(addr=email, text=text, subject=subject)
+
+
 def forgot_password(email):
     token = serialize(email)
     text = """Did you initiate a password reset?  If you didn't initiate this request you can ignore this email.