Defect #6254
Remove 'invalid user' notification on password request with invalid e-mailadress
| Status: | New | Start date: | 2010-08-31 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Accounts / authentication | |||
| Target version: | - | |||
| Resolution: | Affected version: |
Description
Currently, it is possible to retrieve valid e-mailaddreses from the system by simply trying to request a password for it. If the emailaddress is not valid, Redmine will show a notification stating this.
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
Related issues
History
#1
Updated by Go MAEDA over 5 years ago
- Duplicated by Defect #25144: Account Harvesting login issue added
#2
Updated by Go MAEDA over 5 years ago
source:tags/3.3.2/config/locales/en.yml#L153:
notice_account_unknown_email: Unknown user.
#3
Updated by Go MAEDA over 5 years ago
Aron Rotteveel wrote:
It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.
I completely agree. Redmine should always display notice_account_lost_email_sent ("An email with instructions to choose a new password has been sent to you.").