#7543 Password recovery should not confirm email addr existance

v1.2.0
closed
Alexander Luberg
security (34) sf-1 (616)
General
Dave Brondsema
2015-08-20
2014-07-07
Dave Brondsema
No

The forgotten password recovery form says "Unable to recover password for this email" if you enter an email that is not in our database. This can be used to determine if an email address is in the system or not. Instead, we should always have a generic success message like "A password reset email has been sent, if the given email address is on record in our system."

Related

Tickets: #7527

Discussion

  • Dave Brondsema

    Dave Brondsema - 2014-07-11
    • Size: --> 1
     

  • Alexander Luberg - 2014-07-14
    • status: open --> in-progress
    • assigned_to: Alexander Luberg
     

  • Alexander Luberg - 2014-07-14

    allura:al/7543

     

  • Alexander Luberg - 2014-07-14
    • status: in-progress --> code-review
     

  • Dave Brondsema

    Dave Brondsema - 2014-07-16

    Looks good.

    I notice some EmailAddress lookup that will probably have to change when we do [#7527]

     

    Related

    Tickets: #7527

  • Dave Brondsema

    Dave Brondsema - 2014-07-16
    • status: code-review --> closed
    • QA: Dave Brondsema
     

  • Dave Brondsema

    Dave Brondsema - 2015-01-05
    • Milestone: unreleased --> asf_release_1.2.0
     

Log in to post a comment.