(SOLVED) Bug? Customer.pl is confusing some customers

[bayerex]

Hi,

there seems to be a problem with Customer.pl. If a customer has not yet self-registered but clicks "Forgot Password" and submits their email address, the system claims it will send them a new password. But of course it doesn't.

Surely it should write something like "You are not yet a registered user of this system, please register".

Is this a bug? or something I can quickly fix?

Thanks.

[crythias]

It's not necessarily a bug.It's not *always* a good idea to let someone (potentially a bad guy) know that the username is valid/invalid.

[bayerex]

It's not necessarily a bug.It's not *always* a good idea to let someone (potentially a bad guy) know that the username is valid/invalid.

Yeah I know what you mean and I had a feeling this would be your view. However we would still prefer to use something more helpful in this case. Even this forum for example indicates if you're requesting a password for an invalid address.

Ok so you're saying you believe it's not a bug it's a wish?

[crythias]

From Standard/CustomerLogin.dtl:

Code: Select all

<!-- dtl:block:LostPassword -->
            <div id="Reset">
                <a href="#Login" class="InlineNavigation">&larr; $Text{"Back"}</a>
                <h2>$Text{"Request new password"}</h2>
                <form class="Floating" action="$Env{"CGIHandle"}" method="post" enctype="application/x-www-form-urlencoded">
                    <input type="hidden" name="Action" value="CustomerLostPassword" />
                    <input type="hidden" name="Lang" value="$Env{"UserLanguage"}" />
                    <div>
                        <label for="ResetUser">$Text{"User name"}</label>
                        <input title="$Text{"Your User Name"}" type="text" id="ResetUser" name="User" maxlength="150" />
                    </div>
                    <div>
                        <button type="submit" value="$Text{"Submit"}">$Text{"Submit"}</button>
                    </div>
                    <div class="Clear"></div>
                </form>
                <p>$Text{"A new password will be sent to your email address."}</p>
            </div>
<!-- dtl:block:LostPassword -->

CustomerLostPassword action is in Kernel/System/Web/InterfaceCustomer.pm:

Code: Select all

        my %UserData = $Self->{UserObject}->CustomerUserDataGet( User => $User );
        if ( !$UserData{UserID} ) {

            # Security: pretend that password reset instructions were actually sent to
            #   make sure that users cannot find out valid usernames by
            #   just trying and checking the result message.
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => 'Sent password reset instructions. Please check your email.',
                ),
            );
            return;
        }

Ok so you're saying you believe it's not a bug it's a wish?

It's not a bug. It's hard coded that way. Although now that you know where it is you certainly can change the message. It won't survive updates, but you can do as you wish.

[jojo]

all typical security guidelines need that no hint is given if the username is existing.

[bayerex]

super! thanks guys