WordPress.org

Make WordPress Core

Opened 2 weeks ago

Last modified 2 weeks ago

#44334 new enhancement

'Invalid username or email' can just be 'Invalid username' in retrieve_password function

Reported by: subrataemfluence Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: dev-feedback
Focuses: administration Cc:

Description

Since strpos returns false if a character is not found in between the input string and returns 0 if found at the beginning of it the error message There is no user registered with that email address. will only come up if user could not be located with the supplied email address. For anything else we can just use Invalid username.

Example: myname@gmail.com

  • Error message: There is no user registered with that email address.
  • This is correct since strpos only returns true if @ is somewhere within the string or at the end.

Example: @myname

  • Error message: Invalid username
  • No need to add the phrase or email

Example: @@myname

  • Error message: Invalid username
  • No need to add the phrase or email

Example: myname

  • Error message: Invalid username
  • No need to add the phrase or email

Attachments (1)

44334.diff (400 bytes) - added by subrataemfluence 2 weeks ago.
Proposed

Download all attachments as: .zip

Change History (3)

@subrataemfluence
2 weeks ago

Proposed

#1 @joyously
2 weeks ago

It's not actually broken, is it?

Should this error show the detail of why the login didn't work? Does it help the hacker more than the user?

Can you state the problem you are trying to solve, instead of just showing your solution?

#2 @subrataemfluence
2 weeks ago

Neither anything is broken nor login did not work!

All I wanted to say is if something is not necessary to show why should we especially when we can be more specific about it. If we have a proper email address check and specific error message related to it, why we cannot be specific when username is checked.

I may be wrong, but to my understanding removing the phrase "or email" when not checking for email address is probably a better idea.

Note: See TracTickets for help on using tickets.