Send security notification when recovery code is used or created by admin (#5719)

* Send security notification when recovery code is used or created by admin "Where to store recovery codes" is one of these problems there is no right answer to, so many people store them in a less-than-optimal place. If that's the reality we live in, this PR adds at least a little security so one notices when they get used :) * Add sentence
2026-05-04 15:04:03 +00:00 · 2026-01-26 10:01:07 +01:00
parent 4edc7d95c6
commit 3e0ff1e6ed
3 changed files with 25 additions and 0 deletions
--- a/src/pretix/control/views/users.py
+++ b/src/pretix/control/views/users.py
@@ -165,6 +165,10 @@ class UserEmergencyTokenView(AdministratorPermissionRequiredMixin, RecentAuthent
        d, __ = StaticDevice.objects.get_or_create(user=self.object, name='emergency')
        token = d.token_set.create(token=get_random_string(length=12, allowed_chars='1234567890'))
        self.object.log_action('pretix.user.settings.2fa.emergency', user=self.request.user)
+        self.object.send_security_notice([
+            _('A two-factor emergency code has been generated by a system administrator. This will usually happen '
+              'if you lost access to your two-factor credentials and requested a reset of the credentials.')
+        ])

        messages.success(request, _(
            'The emergency token for this user is "{token}". It can only be used once. Please make sure to transmit '