Project

General

Profile

Actions

Feature #35450

closed

Better validation error message when the domain of email is not allowed

Added by Yuichi HARADA almost 3 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

When registering an email address with a disallowed email domain with "My account > Email", the error message "Email is invalid" is displayed.

I don't understand what the error message wants to convey, so fixed the error message.


Files

current-error-message.png (100 KB) current-error-message.png Yuichi HARADA, 2021-06-24 03:56
fixed-error-message.png (98.7 KB) fixed-error-message.png Yuichi HARADA, 2021-06-24 03:57
fixed-error-message.patch (1.78 KB) fixed-error-message.patch Yuichi HARADA, 2021-06-24 03:59
35450-v2.patch (1.84 KB) 35450-v2.patch Go MAEDA, 2022-07-22 02:33
35450-v3.patch (2 KB) 35450-v3.patch Go MAEDA, 2022-07-23 02:52

Related issues

Related to Redmine - Feature #3369: Allowed/Disallowed email domains settings to restrict users' email addressesClosedGo MAEDA2009-05-16

Actions
Actions #1

Updated by Go MAEDA almost 2 years ago

  • File 37151-v2.patch added
  • Subject changed from Fixed an error message when registering an email address for a disallowed email domain to Better validation error message when the domain of email is not allowed
  • Category changed from Code cleanup/refactoring to Accounts / authentication
  • Target version set to 5.1.0

+1
One of my customers was also confused by this error message.

Setting the target version to 5.1.0.

Actions #2

Updated by Go MAEDA almost 2 years ago

  • File deleted (37151-v2.patch)
Actions #4

Updated by Go MAEDA almost 2 years ago

  • Related to Feature #3369: Allowed/Disallowed email domains settings to restrict users' email addresses added
Actions #5

Updated by Go MAEDA almost 2 years ago

I wrote as follows in #3369#note-13 two years ago.

Changed the error message when the domain is not allowed from "Email contains a domain not allowed (example.com)" to simpler "Email is invalid" because the former detailed error message may give attackers useful hints to avoid restrictions especially on /account/register page

Taking the above into account, I have updated the patch so that the detailed error message is not displayed for anonymous users.

Actions #6

Updated by Yuichi HARADA almost 2 years ago

Go MAEDA wrote:

Taking the above into account, I have updated the patch so that the detailed error message is not displayed for anonymous users.

+1
I think the patch is good as I don't have to provide any details to anonymous users.

Actions #7

Updated by Go MAEDA almost 2 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Committed the patch. Thank you.

Actions #8

Updated by Go MAEDA 8 months ago

  • Tracker changed from Patch to Feature
  • Resolution set to Fixed
Actions

Also available in: Atom PDF