User/password recovery works strange
akak1977 opened this issue · comments
Andrei Kolchanov commented
Recovery email can be anything, even something like xx@xx.xx.
And the system says: "An email with your user name has been sent to your address". Even if SMTP unavailable.
Artem Dudarev commented
The message should always be the same to prevent email addresses harvesting.
Anonymous user should not be able to find out if specific email address or user name is registered in the system.
Andrei Kolchanov commented
Ok. Anyway I thing we need to check SMTP presence at all, and catch another system errors.