Opened 8 years ago
Last modified 7 years ago
#40065 new enhancement
Check for invalid user before `lostpassword_post` in `retrieve_password()`
Reported by: | jfarthing84 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.7.3 |
Component: | Login and Registration | Keywords: | has-patch dev-feedback |
Focuses: | Cc: |
Description
Some errors are added before lostpassword_post
and one is added after. It'd be nice if all of the errors were present when the action is called. This patch fixes that.
Attachments (1)
Change History (4)
Note: See
TracTickets for help on using
tickets.
I would have liked to prevent information disclosure in login and password retrieval forms by returning a generic message rather than one that indicates whether or not a username/email is valid. However, this is not possible because that one check can add an error after the filter is called.