Skip to:
Content
Pages
Categories
Search
Top
Bottom

Password Recovery doesn’t check if username exists


  • raphaelb
    Member

    @raphaelb

    15 years, 5 months ago

    Using bbPress 0.9 and WordPress 2.7 — when a user tries to perform a password recovery, it’ll accept anything. It doesn’t give an error message if the username doesn’t exist.

    Case study (this actually happened):

    A user “forgot” his password, but it turned out he had actually never registered. So he goes to the password recovery page, enters a username that doesn’t exist, and is then greeted with the default reset password text, saying “An email has been sent to the address we have on file for you.” That text made him expect an email which never came.

    A. Is this something that can be fixed? B. Is this something that should be filed as a bug?

Viewing 1 replies (of 1 total)

  • timskii
    Member

    @timskii

    15 years, 5 months ago

    If you simply visit /bb-reset-password.php in 0.9.4 the template options are if($reset) and else. The first says “Your password has been reset…”, the second “An email has been sent…”. So if the file is accessed out of context, it is doomed report the else message, even when absolutely nothing has been sent.

    Bug-wise, it’s re-written in 1.0.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.

Topic Info

Topic Tags

Skip to toolbar