From: Mikael Nordfeldth Date: Sat, 30 May 2015 21:29:16 +0000 (+0200) Subject: Fake recovery by email address, to hide registrants on the site X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=82f9b6908cc12b7f46fac2f7e0471febdb789187;p=quix0rs-gnu-social.git Fake recovery by email address, to hide registrants on the site --- diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php index 4839a036c0..060ba83510 100644 --- a/actions/recoverpassword.php +++ b/actions/recoverpassword.php @@ -272,10 +272,16 @@ class RecoverpasswordAction extends Action try { User::recoverPassword($nore); $this->mode = 'sent'; - // TRANS: User notification after an e-mail with instructions was sent from the password recovery form. - $this->msg = _('Instructions for recovering your password ' . - 'have been sent to the email address registered to your ' . - 'account.'); + if (common_is_email($nore) && common_config('site', 'fakeaddressrecovery')) { + // TRANS: User notification when recovering password by giving email address, + // regardless if the mail was sent or not (to hide registered email status). + $this->msg = _('If the email address you provided was found in the database, a recovery mail with instructions has been sent there.'); + } else { + // TRANS: User notification after an e-mail with instructions was sent from the password recovery form. + $this->msg = _('Instructions for recovering your password ' . + 'have been sent to the email address registered to your ' . + 'account.'); + } $this->success = true; } catch (Exception $e) { $this->success = false; diff --git a/classes/User.php b/classes/User.php index 6a12bb6642..3efaa5e721 100644 --- a/classes/User.php +++ b/classes/User.php @@ -873,16 +873,20 @@ class User extends Managed_DataObject } // No luck finding anyone by that email address. - // TODO: Fake sending email (since we don't want to reveal which addresses exist or not) if (!$user instanceof User) { - // TRANS: Information on password recovery form if no known username or e-mail address was specified. + if (common_config('site', 'fakeaddressrecovery')) { + // Return without actually doing anything! We fake address recovery + // to avoid revealing which email addresses are registered with the site. + return; + } + // TRANS: Information on password recovery form if no known e-mail address was specified. throw new ClientException(_('No user with that email address exists here.')); } } else { // This might throw a NicknameException on bad nicknames $user = User::getKV('nickname', common_canonical_nickname($nore)); if (!$user instanceof User) { - // TRANS: Information on password recovery form if no known username or e-mail address was specified. + // TRANS: Information on password recovery form if no known username was specified. throw new ClientException(_('No user with that nickname exists here.')); } } diff --git a/lib/default.php b/lib/default.php index 6369fbddc6..0ec9fc4e14 100644 --- a/lib/default.php +++ b/lib/default.php @@ -48,6 +48,7 @@ $default = 'languages' => get_all_languages(), 'email' => array_key_exists('SERVER_ADMIN', $_SERVER) ? $_SERVER['SERVER_ADMIN'] : null, + 'fakeaddressrecovery' => true, 'broughtby' => null, 'timezone' => 'UTC', 'broughtbyurl' => null,