Bug #20911
closed
(case: forgot email) ->Mail sent to persons in any case, even if they are not registered!
0%
Description
If users enter wrong email-adress (or even abuse the forgot password form),
an email is sent without checking if the user has ever been registered under the entered email-adress.
Selbiges Problem gab es schon bei newloginbox..
(issue imported from #M11765)
Updated by Chris topher over 14 years ago
If the form told the user that the e-mail-address he entered is not registered, this would open a way of guessing registered e-mail-addresses.
If it would not send out an e-mail without any notice, a user who has registered himself at the website, but perhaps with another e-mail-adress, would think, that the send-password-function does not work at all.
That's the problem...
Do you have an idea to solve that?
Updated by Marcel Fitzner over 14 years ago
Indeed. Such a case would be solved in a better way by the FE-plugin showing that the entered email-adress had not been registered and therefor no mail has been sent,
so the user would be able to try another email-adress. By this an unnecessarily sent mail could be spared.
Updated by Chris topher over 14 years ago
As I already wrote: This will open a way of guessing registered e-mail-addresses.
The way you propose to do it the information whether a certain e-mail-address is registered or not is disclosed to the public.
The fact that an address is registered at a website may be regarded as confidential by some users.
For them it will not be acceptable to see this information available in the public that way.
Updated by Marcel Fitzner over 14 years ago
Ah yes, sorry..
Maybe just a simple request would help, if the entered email-adress is correct.
The user can then agree, in order to get the new password,
or, simply, go back back to the previous form,
in order to show the input field for the email-adress.
So there wouldn't be a possibility to check, if the email-adress is registered.
But at least, the user can be indicated, that he should review his input, in order to possibly correct typing errors..
...and besides that he feels, that an email will be sent to the given adress, in any case...[if wrong, then without pw of course]...
Updated by Markus Klein over 14 years ago
Indeed, data protection is a problem in this case.
But maybe you can provide an option to choose between sending an email and displaying in FE.
The sending of mail can stay as default.
Updated by Mr. Hudson over 12 years ago
- Status changed from New to Under Review
Patch set 2 of change I8d8ad52bf12938645bb9b144872ec64f92f875d0 has been pushed to the review server.
It is available at http://review.typo3.org/6649
Updated by Mr. Hudson over 12 years ago
Patch set 3 of change I8d8ad52bf12938645bb9b144872ec64f92f875d0 has been pushed to the review server.
It is available at http://review.typo3.org/6649
Updated by Gerrit Code Review over 12 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6649
Updated by Steffen Gebert over 12 years ago
- Status changed from Under Review to Rejected
- Target version deleted (
0) - TYPO3 Version set to 4.7
Duplicate of #20911