Fake recovery by email address, to hide registrants on the site
This commit is contained in:
parent
731d283159
commit
82f9b6908c
@ -272,10 +272,16 @@ class RecoverpasswordAction extends Action
|
||||
try {
|
||||
User::recoverPassword($nore);
|
||||
$this->mode = 'sent';
|
||||
// TRANS: User notification after an e-mail with instructions was sent from the password recovery form.
|
||||
$this->msg = _('Instructions for recovering your password ' .
|
||||
'have been sent to the email address registered to your ' .
|
||||
'account.');
|
||||
if (common_is_email($nore) && common_config('site', 'fakeaddressrecovery')) {
|
||||
// TRANS: User notification when recovering password by giving email address,
|
||||
// regardless if the mail was sent or not (to hide registered email status).
|
||||
$this->msg = _('If the email address you provided was found in the database, a recovery mail with instructions has been sent there.');
|
||||
} else {
|
||||
// TRANS: User notification after an e-mail with instructions was sent from the password recovery form.
|
||||
$this->msg = _('Instructions for recovering your password ' .
|
||||
'have been sent to the email address registered to your ' .
|
||||
'account.');
|
||||
}
|
||||
$this->success = true;
|
||||
} catch (Exception $e) {
|
||||
$this->success = false;
|
||||
|
@ -873,16 +873,20 @@ class User extends Managed_DataObject
|
||||
}
|
||||
|
||||
// No luck finding anyone by that email address.
|
||||
// TODO: Fake sending email (since we don't want to reveal which addresses exist or not)
|
||||
if (!$user instanceof User) {
|
||||
// TRANS: Information on password recovery form if no known username or e-mail address was specified.
|
||||
if (common_config('site', 'fakeaddressrecovery')) {
|
||||
// Return without actually doing anything! We fake address recovery
|
||||
// to avoid revealing which email addresses are registered with the site.
|
||||
return;
|
||||
}
|
||||
// TRANS: Information on password recovery form if no known e-mail address was specified.
|
||||
throw new ClientException(_('No user with that email address exists here.'));
|
||||
}
|
||||
} else {
|
||||
// This might throw a NicknameException on bad nicknames
|
||||
$user = User::getKV('nickname', common_canonical_nickname($nore));
|
||||
if (!$user instanceof User) {
|
||||
// TRANS: Information on password recovery form if no known username or e-mail address was specified.
|
||||
// TRANS: Information on password recovery form if no known username was specified.
|
||||
throw new ClientException(_('No user with that nickname exists here.'));
|
||||
}
|
||||
}
|
||||
|
@ -48,6 +48,7 @@ $default =
|
||||
'languages' => get_all_languages(),
|
||||
'email' =>
|
||||
array_key_exists('SERVER_ADMIN', $_SERVER) ? $_SERVER['SERVER_ADMIN'] : null,
|
||||
'fakeaddressrecovery' => true,
|
||||
'broughtby' => null,
|
||||
'timezone' => 'UTC',
|
||||
'broughtbyurl' => null,
|
||||
|
Loading…
Reference in New Issue
Block a user