FEATURE: inform users if forgot password works or not

FIX: flash dialog in forgot password often had wrong color (this can be disabled by setting forgot_password_verbose to false)
2014-09-11 12:04:44 +10:00 · 2014-09-11 12:04:44 +10:00 · 61bcde6284
parent aa21969d99
commit 61bcde6284
5 changed files with 29 additions and 8 deletions
--- a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
+++ b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
@ -17,18 +17,28 @@ export default DiscourseController.extend(ModalFunctionality, {

      this.set('disabled', true);

-      var success = function() {
+      var success = function(data) {
        // don't tell people what happened, this keeps it more secure (ensure same on server)
        var escaped = Handlebars.Utils.escapeExpression(self.get('accountEmailOrUsername'));
-        if (self.get('accountEmailOrUsername').match(/@/)) {
-          self.flash(I18n.t('forgot_password.complete_email', {email: escaped}));
-        } else {
-          self.flash(I18n.t('forgot_password.complete_username', {username: escaped}));
+        var isEmail = self.get('accountEmailOrUsername').match(/@/);
+
+        var key = 'forgot_password.complete_' + (isEmail ? 'email' : 'username');
+        var extraClass;
+
+        if (data.user_found === true) {
+          key += '_found';
        }
+
+        if (data.user_found === false) {
+          key += '_not_found';
+          extraClass = 'error';
+        }
+
+        self.flash(I18n.t(key, {email: escaped, username: escaped}), extraClass);
      };

      var fail = function(e) {
-        self.flash(e.responseJSON.errors[0], 'alert-error');
+        self.flash(e.responseJSON.errors[0], 'error');
      };

      Discourse.ajax('/session/forgot_password', {
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -108,8 +108,13 @@ class SessionController < ApplicationController
      email_token = user.email_tokens.create(email: user.email)
      Jobs.enqueue(:user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
    end
-    # always render of so we don't leak information
-    render json: {result: "ok"}
+
+    json = { result: "ok" }
+    if SiteSetting.forgot_password_verbose
+      json[:user_found] = user.present?
+    end
+
+    render json: json

  rescue RateLimiter::LimitExceeded
    render_json_error(I18n.t("rate_limiter.slow_down"))
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@ -586,7 +586,11 @@ en:
      reset: "Reset Password"
      complete_username: "If an account matches the username <b>%{username}</b>, you should receive an email with instructions on how to reset your password shortly."
      complete_email: "If an account matches <b>%{email}</b>, you should receive an email with instructions on how to reset your password shortly."
+      complete_username_found: "We found an account that matches the username <b>%{username}</b>, you should receive an email with instructions on how to reset your password shortly."
+      complete_email_found: "We found an account that matches <b>%{email}</b>, you should receive an email with instructions on how to reset your password shortly."

+      complete_username_not_found: "No account matches the username <b>%{username}</b>"
+      complete_email_not_found: "No account matches <b>%{email}</b>"
    login:
      title: "Log In"
      username: "User"
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -749,6 +749,7 @@ en:
    allow_index_in_robots_txt: "Specify in robots.txt that this site is allowed to be indexed by web search engines."
    email_domains_blacklist: "A list of email domains that users are not allowed to register accounts with. Example: mailinator.com trashmail.net"
    email_domains_whitelist: "A list of email domains that users MUST register accounts with. WARNING: Users with email domains other than those listed will not be allowed!"
+    forgot_password_verbose: "Inform users of an account's existance when they use the forgot password dialog."
    version_checks: "Ping the Discourse Hub for version updates and show new version messages on the /admin dashboard"
    new_version_emails: "Send an email to the contact_email address when a new version of Discourse is available."

--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -239,6 +239,7 @@ login:
  email_domains_whitelist:
    default: ''
    type: list
+  forgot_password_verbose: true

 users:
  min_username_length: