Skip to:
Content
Pages
Categories
Search
Top
Bottom

Password Recovery doesn’t check if username exists

  • Using bbPress 0.9 and WordPress 2.7 — when a user tries to perform a password recovery, it’ll accept anything. It doesn’t give an error message if the username doesn’t exist.

    Case study (this actually happened):

    A user “forgot” his password, but it turned out he had actually never registered. So he goes to the password recovery page, enters a username that doesn’t exist, and is then greeted with the default reset password text, saying “An email has been sent to the address we have on file for you.” That text made him expect an email which never came.

    A. Is this something that can be fixed? B. Is this something that should be filed as a bug?

Viewing 1 replies (of 1 total)
  • If you simply visit /bb-reset-password.php in 0.9.4 the template options are if($reset) and else. The first says “Your password has been reset…”, the second “An email has been sent…”. So if the file is accessed out of context, it is doomed report the else message, even when absolutely nothing has been sent.

    Bug-wise, it’s re-written in 1.0.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.