Problem/Motivation
We want to avoid that everybody can check if an email is already registered on a Drupal site. So, an anonymous user can easily check whether there is a user registered with a certain e-mail-address or not. Therefore the displayed message must be changed.
On 'Request new password' form (/user/password), you get the following message if you enter a unused mail address or username:
Sorry, john.doe@example.com is not recognized as a user name or an e-mail address.
If you enter a used mail address or username, you get:
Further instructions have been sent to your e-mail address.
So, an anonymous user can easily check whether there is a user registered with a certain e-mail-address or not.
I think this can be a privacy issue. Think of the following scenario:
Alice wants to check if her fiancé Bob is registered at "adult-dating.example.com", a well known Internet dating site run by Drupal. She visits adult-dating.example.com/user/password and enters his mail address bob@doe-family.example. If she gets the message "Further instructions have been sent to your e-mail address.", she'll know that there is a user registered with Bobs mail address (= Bob himself) or with a username matching his mail address (unlikely that it would be someone else).
Proposed resolution
never print "Sorry, XYZ is not recognized as a user name or an e-mail address.",
always print "Further instructions have been sent to your e-mail address.".
Maybe we should change the wording of this message then (adding something like "if matched any account").
Remaining tasks
Check that the items in the following list have already been done.
See the comment in #101 for the remaining changes needed.
(novice) Issue summary needs updating with issue summary template (how to: http://drupal.org/node/1427826)(novice) document/update steps to test/reproduce (how to: http://drupal.org/node/1468198)- (novice) manual testing (how to: http://drupal.org/node/1489010)
- (novice) check coding standards and documentation (how to: http://drupal.org/node/1487976)
Writing more tests? Needs a test only patch so the bot can show it fails. (how to: http://drupal.org/node/1468170)Needs an interdiff (how to: http://drupal.org/node/1488712)
| Task | Novice task? | Contributor instructions | Complete? |
|---|---|---|---|
| Create a patch | Instructions | Complete | |
| Reroll the patch if it no longer applies. | Instructions | Complete | |
| Add automated tests | Instructions | Complete | |
| Manually test the patch | Novice | Instructions | |
| Embed before and after screenshots in the issue summary | Novice | Instructions |
User interface changes
On 'Request new password' form the status message if an email is already registered is going to be changed:
Sorry, john.doe@example.com is not recognized as a user name or an e-mail address.
If you enter a used mail address or username, you get the following message that should be changed also:
Further instructions have been sent to your e-mail address.
API changes
None
Original report by no2e
(coming from #1359718: Allow password reset on account w username matching another email. Prevent registrations which match another account)
On 'Request new password' form (/user/password), you get the following message if you enter a unused mail address or username:
Sorry, john.doe@example.com is not recognized as a user name or an e-mail address.
If you enter a used mail address or username, you get:
Further instructions have been sent to your e-mail address.
So, an anonymous user can easily check whether there is a user registered with a certain e-mail-address or not.
I think this can be a privacy issue. Think of the following scenario:
Alice wants to check if her fiancé Bob is registered at "adult-dating.example.com", a well known Internet dating site run by Drupal. She visits adult-dating.example.com/user/password and enters his mail address bob@doe-family.example. If she gets the message "Further instructions have been sent to your e-mail address.", she'll know that there is a user registered with Bobs mail address (= Bob himself) or with a username matching his mail address (unlikely that it would be someone else).
Possible solution:
never print "Sorry, XYZ is not recognized as a user name or an e-mail address.",
always print "Further instructions have been sent to your e-mail address.".
Maybe we should change the wording of this message then (adding something like "if matched any account").
Steps to reproduce this issue
- Install the latest Drupal 8.x version
- log in and create a new user with a username and email
- log out
- go to the following page: user/password
- enter a name or email of an invalid user
- if the latest patch is not applied the following message appears: Sorry, john.doe@example.com is not recognized as a user name or an e-mail address.
- then enter the name or email of the new user you just created
- if the latest patch is not applied the following message should appear: Further instructions have been sent to your e-mail address.
- apply the latest patch
- run update.php
- when entering a valid or invalid username or email just the following message should always appear: Further instructions have been sent to your e-mail address.
- so, now there is only one message displayed and it is not possible any more to check if an email is registered or not