webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Updated password reset process not to indicate if email exists

Browse Source 
- Intended to prevent enumeration to check if a user exists.
- Updated messages on both the reqest-reset and set-password elements.
- Also updated notification auto-hide to be dynamic based upon the
amount of words within the notification.
- Added tests to cover.

For #2016
This commit is contained in:
Dan Brown
2020-04-10 13:38:08 +01:00
parent 053cbbd5b6
commit ba1be9d710
6 changed files with 63 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Http/Controllers/Auth/ForgotPasswordController.php
View File

@ -5,7 +5,7 @@ namespace BookStack\Http\Controllers\Auth;
use BookStack\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
use Illuminate\Http\Request;
use Password;
use Illuminate\Support\Facades\Password;
class ForgotPasswordController extends Controller
{
@ -52,8 +52,8 @@ class ForgotPasswordController extends Controller
$request->only('email')
);
if ($response === Password::RESET_LINK_SENT) {
$message = trans('auth.reset_password_sent_success', ['email' => $request->get('email')]);
if ($response === Password::RESET_LINK_SENT || $response === Password::INVALID_USER) {
$message = trans('auth.reset_password_sent', ['email' => $request->get('email')]);
$this->showSuccessNotification($message);
return back()->with('status', trans($response));
}