Feature #16485
closed
Added by Torkil Svensgaard over 17 years ago.
Updated over 12 years ago.
Description
As it is now, I could enter a random (valid) email address and an email would go out to the owner, telling him the email isn't known by the system.
If I thought that was funny, I could do it again. At some point, this might get the mail server blacklisted.
If I happened to use an email address know by the system, the same thing would happen, just a different type of email being sent.
How about some configuration options, giving the site owner the ability to allow/ disallow the sending of emails in the case where the email is unknown to the system and introduce some simple measure (Pets name!) to avoid randoms to spam an email address known by the system?
(issue imported from #M4088)
Files
I would say yes to your first proposal - sending e-mail without explicit permission of the recipient can easily cause big trouble, at least here in Germany.
Your second idea is also worth a thought, but I would perhaps say to even go a bit further: Why not make it optional to have this question as your second password? Ok, it could lead to security problems because your mother's maiden name oder your pet's name is usually far more likely to be known by people than the password of your e-mail-account (to fetch the password from the mail). But perhaps some people want it like that, and why not give it to them?
The more options the better =)
In some scenarios, like a secure intranet, you wouldn't want to have to bother with additional security but it is quite important to have the ability to turn it off.
I´m having the same problem ... is there a solution by now?
Sorry to post again: Is there an update/fixing in progress or should i just take another loginbox-extension?
At the moment there is no fix for this in progress. After other work-in-progress is integrated I'll care about this. If you like to quicken the process, you may contribute a fix for this...
File newloginbox_pi1.tar.bz2 (based on version 3.1.0) contains a patch which will fix this problem.
Translation for English and German added (forgot_password_notfound).
Translation forgot_password_no_pswmsg can be removed if no longer used.
If the email is not found, a message will be display instead of sending a email.
- Status changed from Accepted to Needs Feedback
- Assignee deleted (
Steffen Kamper)
- Target version deleted (
0)
- TYPO3 Version set to 4.2
- Status changed from Needs Feedback to Closed
In the current felogin plugin an email will only be sent if the address is known to the system. No clue is given whether the mail address is known or not.
Also available in: Atom
PDF