We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 82f9b690 authored by mattl's avatar mattl

Fake recovery by email address, to hide registrants on the site

parent 731d2831
......@@ -272,10 +272,16 @@ class RecoverpasswordAction extends Action
try {
User::recoverPassword($nore);
$this->mode = 'sent';
// TRANS: User notification after an e-mail with instructions was sent from the password recovery form.
$this->msg = _('Instructions for recovering your password ' .
'have been sent to the email address registered to your ' .
'account.');
if (common_is_email($nore) && common_config('site', 'fakeaddressrecovery')) {
// TRANS: User notification when recovering password by giving email address,
// regardless if the mail was sent or not (to hide registered email status).
$this->msg = _('If the email address you provided was found in the database, a recovery mail with instructions has been sent there.');
} else {
// TRANS: User notification after an e-mail with instructions was sent from the password recovery form.
$this->msg = _('Instructions for recovering your password ' .
'have been sent to the email address registered to your ' .
'account.');
}
$this->success = true;
} catch (Exception $e) {
$this->success = false;
......
......@@ -873,16 +873,20 @@ class User extends Managed_DataObject
}
// No luck finding anyone by that email address.
// TODO: Fake sending email (since we don't want to reveal which addresses exist or not)
if (!$user instanceof User) {
// TRANS: Information on password recovery form if no known username or e-mail address was specified.
if (common_config('site', 'fakeaddressrecovery')) {
// Return without actually doing anything! We fake address recovery
// to avoid revealing which email addresses are registered with the site.
return;
}
// TRANS: Information on password recovery form if no known e-mail address was specified.
throw new ClientException(_('No user with that email address exists here.'));
}
} else {
// This might throw a NicknameException on bad nicknames
$user = User::getKV('nickname', common_canonical_nickname($nore));
if (!$user instanceof User) {
// TRANS: Information on password recovery form if no known username or e-mail address was specified.
// TRANS: Information on password recovery form if no known username was specified.
throw new ClientException(_('No user with that nickname exists here.'));
}
}
......
......@@ -48,6 +48,7 @@ $default =
'languages' => get_all_languages(),
'email' =>
array_key_exists('SERVER_ADMIN', $_SERVER) ? $_SERVER['SERVER_ADMIN'] : null,
'fakeaddressrecovery' => true,
'broughtby' => null,
'timezone' => 'UTC',
'broughtbyurl' => null,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment