Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send an email if a user that doers not exists requests a password email. #122

Open
maxpeterson opened this issue May 6, 2015 · 2 comments
Open

Send an email if a user that doers not exists requests a password email. #122

maxpeterson opened this issue May 6, 2015 · 2 comments
Labels
enhancement

Comments

@maxpeterson
Copy link
Member

If you request a password reset with an email address for a user that does not exist or is not active then no email is sent.

Can we send a "You do not have a an account email" in this case.

(cc @meshy @jturnbull )
@meshy
Copy link
Contributor

meshy commented May 6, 2015

We should probably just tell the user that they don't have an account

@jturnbull
Copy link
Contributor

Yeah, sending an email to a user who hasn't opted-in to receive any emails is probably more open to abuse than finding out if the user exists on the system.

If the form is rate-limited then an attacker can't brute-force real email addresses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jturnbull @maxpeterson @meshy