Opened 7 years ago
Last modified 7 years ago
#44334 new enhancement
'Invalid username or email' can just be 'Invalid username' in retrieve_password function
Reported by: | subrataemfluence | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | dev-feedback |
Focuses: | administration | Cc: |
Description
Since strpos
returns false
if a character is not found in between the input string and returns 0
if found at the beginning of it the error message There is no user registered with that email address.
will only come up if user could not be located with the supplied email address. For anything else we can just use Invalid username
.
Example: myname@gmail.com
- Error message: There is no user registered with that email address.
- This is correct since strpos only returns true if @ is somewhere within the string or at the end.
Example: @myname
- Error message: Invalid username
- No need to add the phrase or email
Example: @@myname
- Error message: Invalid username
- No need to add the phrase or email
Example: myname
- Error message: Invalid username
- No need to add the phrase or email
Attachments (1)
Change History (3)
#1
@
7 years ago
It's not actually broken, is it?
Should this error show the detail of why the login didn't work? Does it help the hacker more than the user?
Can you state the problem you are trying to solve, instead of just showing your solution?
#2
@
7 years ago
Neither anything is broken nor login did not work!
All I wanted to say is if something is not necessary to show why should we especially when we can be more specific about it. If we have a proper email address check and specific error message related to it, why we cannot be specific when username is checked.
I may be wrong, but to my understanding removing the phrase "or email" when not checking for email address is probably a better idea.
Proposed