@Denitz hmm what do you expect by System Emails? I would expect emails that should only be receiverd by System Administrators e. g. Super Administrators (System Emails)

So this would be correct.

Do you know more System Emails that was send by Joomla to Users with sendEmail enabled?

User profile has setting 'Receive System Emails', right now if user activation is hold by Administrators - any users with enabled 'Receive System Emails' will receive email with activation links or user login details.

User profile has setting 'Receive System Emails'

If i understand it not completly wrong the Option Receive System Emails sould only be enabled for users that should receiver System Emails like registration notifications.
So normal user should not have enabled this option.

if user activation is hold by Administrators - any users with enabled 'Receive System Emails' will receive email with activation links or user login details.

No this should never be the case. If you set activation by Administrator the users with Receive System Emails enabled get a message with the message that a new user would be activated.

Is it correct behavior?

Please see the tooltip of the option:

[...] If set to Admin the user will be emailed a link to verify their email address and then all users set to receive system emails and who have the permission to create users will be notified to activate the user's account.

Yes, but registration model loads all users who can receive system emails no matter of usergroups and permissions to create users.

Yes, but registration model loads all users who can receive system emails no matter of usergroups and permissions to create users.

Yes but see some lines later: https://github.com/joomla/joomla-cms/blob/staging/components/com_users/models/registration.php#L124-141

            // Send mail to all users with users creating permissions and receiving system emails
            foreach ($rows as $row)
            {
                $usercreator = JFactory::getUser($row->id);
                if ($usercreator->authorise('core.create', 'com_users'))
                {
                    $return = JFactory::getMailer()->sendMail($data['mailfrom'], $data['fromname'], $row->email, $emailSubject, $emailBody);
                    // Check for an error.
                    if ($return !== true)
                    {
                        $this->setError(JText::_('COM_USERS_REGISTRATION_ACTIVATION_NOTIFY_SEND_MAIL_FAILED'));
                        return false;
                    }
                }
            }

All works as expected Or miss i something?

Yes, lines 123-141 are fine, but what about these:
https://github.com/joomla/joomla-cms/blob/staging/components/com_users/models/registration.php#L528-560

hmm correct. But they never get passworts they only get the usernames see the message generation here:
https://github.com/joomla/joomla-cms/blob/staging/components/com_users/models/registration.php#L515-526

But yes on this you are correct they get a notification (1) that they should not get i guess regarding the tooltip (2). Can you send a PR that implements a similiar check than above?

(1): Hello administrator, \n\nA new user '%s', username '%s', has registered at %s.
(2): all users set to receive system emails and who have the permission to create users will be notified to activate the user's account.

This is how it should be... while I a admin COULD turn "recieve system
mails" on the only time this would be done is if someone needed
information. For example, on my gaming site I have a person who is a
manager but not a "admin" per se` who gets the messages, so that she can
maintain the user base, I simply don't have time to do so. So she
receives system emails so she knows who needs to be activated. There
are never any passwords sent to admins so there is no security risk at all.
J! sends out very few messages for anything.
Bear
On 5/12/2015 03:34, Dennis Hermatski wrote:

class UsersModelRegistration, line 529:

|// Get all admin users $query->clear()
->select($db->quoteName(array('name', 'email', 'sendEmail')))
->from($db->quoteName('#__users')) ->where($db->quoteName('sendEmail')
. ' = ' . 1); |

Is it correct behavior? Any usual user with enabled 'Receive System
Emails' will receive registration notifications.

—
Reply to this email directly or view it on GitHub
#6922.

No virus found in this message.
Checked by AVG - www.avg.com http://www.avg.com
Version: 2015.0.5941 / Virus Database: 4342/9756 - Release Date: 05/12/15

@N6REJ this is the expected behavior.

As to mange the user base he / she need the permission to create user if he / she had this permission all works ok.

At the moment the initial email

Hello administrator, \n\nA new user '%s', username '%s', has registered at %s.

Is send to all users with sendmail enabled. In theory also to users without access to com_users.

After the fix by @Denitz also this initial email will send only to users with the permission to create user. So your construct will still work as expected

@Denitz why you close it?

This is not an issue, such notifications really can be sent to any user.

ok

@zero-24 I ran into an example today of the "In theory also to users without access to com_users."
A standard registered user at a site was asking the site owner why she got a registration info mail for another user. Turned out that for some unknown reason I could see the system email setting was set to yes in their user profile.

She got that ' Hello administrator, \n\nA new user '%s', username '%s', has registered at %s. ' even as registered user only rights.

Looks like it is intended for admins by design https://github.com/joomla/joomla-cms/blob/staging/components/com_users/models/registration.php#L576
So perhaps there really should be such a check that those getting those mails are admin/or can edit users?

@ot2sen

see: staging...zero-24:patch-13

I'm not sure about the access level? manage or edit?

Nice. Looks like this would stop registered from getting the mail even if their system email setting is yes, if they don´t have specific create or edit permissions.
I am not sure either whether manage, create or edit would be better, sorry.

@zero-24 forgot to mention earlier. Done.
Michael @mbabker would know what we should think or be sure about ;)