Bug #94200
closed
Reset password command wrongly states that a password reset email was sent
100%
Description
To prevent information disclosure, the password reset process does not reveal if an email was sent or not (since the methods just return void).
However, the ResetPasswordCommand will always display a success message Sent out an email to "some@email.com" requesting to set a new password., as soon as the input arguments are valid and password reset is enabled. But in case a password reset for an admin user is requested, while passwordResetForAdmins is not enabled, no email will be sent. So the message is highly misleading.
To fix this, the message should only inform about the successfully initiated password reset process.
Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/69270
Updated by Oliver Bartsch over 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset de8529b0f520fe2fc55e6ab46a45e3cf03638935.
Updated by Gerrit Code Review over 3 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/69296
Updated by Oliver Bartsch over 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset 528b3a337118676683a18b8ca9e6b16687345481.
Updated by