Fake recovery by email address, to hide registrants on the site

This commit is contained in:
Mikael Nordfeldth 2015-05-30 23:29:16 +02:00
parent 731d283159
commit 82f9b6908c
3 changed files with 18 additions and 7 deletions

View File

@ -272,10 +272,16 @@ class RecoverpasswordAction extends Action
try {
User::recoverPassword($nore);
$this->mode = 'sent';
if (common_is_email($nore) && common_config('site', 'fakeaddressrecovery')) {
// TRANS: User notification when recovering password by giving email address,
// regardless if the mail was sent or not (to hide registered email status).
$this->msg = _('If the email address you provided was found in the database, a recovery mail with instructions has been sent there.');
} else {
// TRANS: User notification after an e-mail with instructions was sent from the password recovery form.
$this->msg = _('Instructions for recovering your password ' .
'have been sent to the email address registered to your ' .
'account.');
}
$this->success = true;
} catch (Exception $e) {
$this->success = false;

View File

@ -873,16 +873,20 @@ class User extends Managed_DataObject
}
// No luck finding anyone by that email address.
// TODO: Fake sending email (since we don't want to reveal which addresses exist or not)
if (!$user instanceof User) {
// TRANS: Information on password recovery form if no known username or e-mail address was specified.
if (common_config('site', 'fakeaddressrecovery')) {
// Return without actually doing anything! We fake address recovery
// to avoid revealing which email addresses are registered with the site.
return;
}
// TRANS: Information on password recovery form if no known e-mail address was specified.
throw new ClientException(_('No user with that email address exists here.'));
}
} else {
// This might throw a NicknameException on bad nicknames
$user = User::getKV('nickname', common_canonical_nickname($nore));
if (!$user instanceof User) {
// TRANS: Information on password recovery form if no known username or e-mail address was specified.
// TRANS: Information on password recovery form if no known username was specified.
throw new ClientException(_('No user with that nickname exists here.'));
}
}

View File

@ -48,6 +48,7 @@ $default =
'languages' => get_all_languages(),
'email' =>
array_key_exists('SERVER_ADMIN', $_SERVER) ? $_SERVER['SERVER_ADMIN'] : null,
'fakeaddressrecovery' => true,
'broughtby' => null,
'timezone' => 'UTC',
'broughtbyurl' => null,