Active
Project:
Password reset
Version:
7.x-1.0-beta1
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
13 Apr 2012 at 20:10 UTC
Updated:
10 May 2012 at 23:14 UTC
Hi! Would you please help me with this?
When a user tries to recover/reset his password, the module doesn't check that the written user actually exists. So, if I complete the field with a wrong username, the module still shows a (random) security cuestion to be answered (but, as it isn't a valid username, it doesn't have a valid answer).
Is there a way to validate that field?
And (this would be perfect) is there a way to add an option for "recover my username" by providing the user email address?
Thanks a lot for your time!
Comments
Comment #1
Zen commentedHola Gabriela,
This is actually intentional in the interest of security. If not for this, then scripts can be used to randomly harvest both usernames and the associated reset questions. Perhaps the display message can be improved. I'm open to suggestions.
E-mail address recovery option is a feature request on another thread.
-K