|
// ignore errors, so that registered e-mails cannot be determined |
it says here the it's supposed to ignore errors but if you access /reset_password?email=somemail&code=invalid_code and attempt to change the password the error is different between
There is no user account for the specified email address.
and
Error: Invalid request code, please request a new one.
It should always only show the second one.
Probably low priority but the comment there that it shouldn't be able to be determined, I think you might still be able to find out because the throw/catch takes more time so you will see a ms or more more on average, it should simulate some micro sleep.
userman/source/userman/web.d
Line 393 in 47bc915
it says here the it's supposed to ignore errors but if you access
/reset_password?email=somemail&code=invalid_codeand attempt to change the password the error is different betweenThere is no user account for the specified email address.
and
Error: Invalid request code, please request a new one.
It should always only show the second one.
Probably low priority but the comment there that it shouldn't be able to be determined, I think you might still be able to find out because the throw/catch takes more time so you will see a ms or more more on average, it should simulate some micro sleep.