Hi! Would you please help me with this?
When a user tries to recover/reset his password, the module doesn't check that the written user actually exists. So, if I complete the field with a wrong username, the module still shows a (random) security cuestion to be answered (but, as it isn't a valid username, it doesn't have a valid answer).

Is there a way to validate that field?

And (this would be perfect) is there a way to add an option for "recover my username" by providing the user email address?

Thanks a lot for your time!

Comments

Zen’s picture

Hola Gabriela,

This is actually intentional in the interest of security. If not for this, then scripts can be used to randomly harvest both usernames and the associated reset questions. Perhaps the display message can be improved. I'm open to suggestions.

E-mail address recovery option is a feature request on another thread.

-K