[PATCH] privacy: on password reset, don't tell strangers if email is valid or not

Andrew Shadura andrew at shadura.me
Sat May 16 10:39:54 EDT 2015


On Sat, 16 May 2015 16:37:42 +0200
Andrew Shadura <andrew at shadura.me> wrote:

> Password reset form might be used to check if users with specific
> email addresses have accounts in the system by requesting their
> password to be reset. It's probably not a good idea to give this sort
> of information to complete strangers.

Obviously, there's still a similar issue with login and registration
forms, but those issues are to be dealt separately. Login form is one
which isn't hard to fix, registration form is something slightly
different though.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150516/ab224bc6/attachment-0001.sig>

More information about the kallithea-general mailing list