When requesting an email link for an account the page tells if the address exists. This is insecure and unneeded. It should be changed to a generic message “if the address is known we have sent you a link to login”
Best regards,
Sander Mathijssen
Apologies if this is not the correct place for forum bug reports
Thanks. Is there any setting option / switch for Discourse?
I find this but it’s hard to change if the logic is hard-coded:
action: "I forgot my password"
invite: "Enter your username or email address, and we'll send you a password reset email."
invite_no_username: "Enter your email address, and we'll send you a password reset email."
reset: "Reset Password"
complete_username: "If an account matches the username <b>%{username}</b>, you should receive an email with instructions on how to reset your password shortly."
complete_email: "If an account matches <b>%{email}</b>, you should receive an email with instructions on how to reset your password shortly."
complete_username_found: "We found an account that matches the username <b>%{username}</b>. You should receive an email with instructions on how to reset your password shortly."
complete_email_found: "We found an account that matches <b>%{email}</b>. You should receive an email with instructions on how to reset your password shortly."
complete_username_not_found: "No account matches the username <b>%{username}</b>"
complete_email_not_found: "No account matches <b>%{email}</b>"
help: "Email not arriving? Be sure to check your spam folder first.<p>Not sure which email address you used? Enter an email address and we’ll let you know if it exists here.</p><p>If you no longer have access to the email address on your account, please contact <a href='%{basePath}/about'>our helpful staff.</a></p>"
button_ok: "OK"
button_help: "Help"
email_login:
link_label: "Email me a login link"
button_label: "with email"
login_link: "Skip the password; email me a login link"
emoji: "lock emoji"
complete_username: "If an account matches the username <b>%{username}</b>, you should receive an email with a login link shortly."
The config file of the server should contain that option configured. If we change it to line 2096 it will not tell you if it exists.
Or perhaps this should be an issue in the Discourse repo?