Project

General

Profile

Actions

Bug #20911

closed

(case: forgot email) ->Mail sent to persons in any case, even if they are not registered!

Added by Marcel Fitzner over 15 years ago. Updated almost 13 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2009-08-21
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If users enter wrong email-adress (or even abuse the forgot password form),
an email is sent without checking if the user has ever been registered under the entered email-adress.

Selbiges Problem gab es schon bei newloginbox..
(issue imported from #M11765)


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #23199: Forgot password for non existant usersClosed2010-07-15

Actions
Has duplicate TYPO3 Core - Bug #21277: Danger for misusing forgot password function for spamming mailboxesClosedChristian Kuhn2009-10-15

Actions
Actions #1

Updated by Chris topher over 15 years ago

If the form told the user that the e-mail-address he entered is not registered, this would open a way of guessing registered e-mail-addresses.

If it would not send out an e-mail without any notice, a user who has registered himself at the website, but perhaps with another e-mail-adress, would think, that the send-password-function does not work at all.

That's the problem...
Do you have an idea to solve that?

Actions #2

Updated by Marcel Fitzner about 15 years ago

Indeed. Such a case would be solved in a better way by the FE-plugin showing that the entered email-adress had not been registered and therefor no mail has been sent,
so the user would be able to try another email-adress. By this an unnecessarily sent mail could be spared.

Actions #3

Updated by Chris topher about 15 years ago

As I already wrote: This will open a way of guessing registered e-mail-addresses.
The way you propose to do it the information whether a certain e-mail-address is registered or not is disclosed to the public.
The fact that an address is registered at a website may be regarded as confidential by some users.
For them it will not be acceptable to see this information available in the public that way.

Actions #4

Updated by Marcel Fitzner about 15 years ago

Ah yes, sorry..

Maybe just a simple request would help, if the entered email-adress is correct.

The user can then agree, in order to get the new password,
or, simply, go back back to the previous form,
in order to show the input field for the email-adress.

So there wouldn't be a possibility to check, if the email-adress is registered.

But at least, the user can be indicated, that he should review his input, in order to possibly correct typing errors..

...and besides that he feels, that an email will be sent to the given adress, in any case...[if wrong, then without pw of course]...

Actions #5

Updated by Markus Klein about 15 years ago

Indeed, data protection is a problem in this case.

But maybe you can provide an option to choose between sending an email and displaying in FE.
The sending of mail can stay as default.

Actions #6

Updated by Mr. Hudson about 13 years ago

  • Status changed from New to Under Review

Patch set 2 of change I8d8ad52bf12938645bb9b144872ec64f92f875d0 has been pushed to the review server.
It is available at http://review.typo3.org/6649

Actions #7

Updated by Mr. Hudson about 13 years ago

Patch set 3 of change I8d8ad52bf12938645bb9b144872ec64f92f875d0 has been pushed to the review server.
It is available at http://review.typo3.org/6649

Actions #8

Updated by Gerrit Code Review almost 13 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6649

Actions #9

Updated by Steffen Gebert almost 13 years ago

  • Status changed from Under Review to Rejected
  • Target version deleted (0)
  • TYPO3 Version set to 4.7

Duplicate of #20911

Actions

Also available in: Atom PDF