Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
3.2.9, 3.3.0
-
None
-
None
-
None
Description
Consider a board where the feature "Allow password reset" is disabled.
The link "I forgot my password" is still visible. When an user clicks on it, he or she receives that message :
The password reset functionality has been disabled. If you need help accessing your account, please contact the Board Administrator.
|
The link "Board Administrator" doesn't redirect to the Contact Page (if enabled) or an error (if disabled), like the login page when there is a login problem. Instead, it redirects to mailto:xxxx, where xxxx is the contact email address defined in the ACP. Even if the administrator decided to hide email addresses, the contact email address is still visible. It's definitely a flaw.
EDIT 5/03/20 : the bug appears also when you try to link an existing account with an external service (oauth). If you type a wrong password, you get that message
You have specified an incorrect password. Please check your password and try again. If you continue to have problems please contact the Board Administrator. |
Unlike the "Board Administrator" link of the standard login page, that link doesn't redirect to the Contact page (if enabled) or an error (if disabled). Instead, it redirects to mail to:xxxx, where xxxx is the contact email address defined in the ACP. Even if the administrator decided to hide email addresses, the contact email address is still visible. Same flaw.
If you fails again to find the correct password, you get that message:
You have specified an incorrect password. Please check your password and try again. If you continue to have problems please contact the %sBoard Administrator%s. |
There is no link at all. %sBoard Administrator%s is displayed as such.