2.8.0 beta10 - hide_email_address_taken needs (automatic) tweaks to the site settings, or a warning to edit them to make sense.
If using the new feature 2.8.0.beta10: API Improvements, Domain Restricted Invite Links, Tab to Indent, and more
Enabling the setting changes the outcome text from a password reset of “an account matching xyz/foo@bar.com was found, and an email was sent” to “if an account matching xyz/foo@bar.com exists it will get an email with reset instructions”. good. Problem: It doesn’t change the password reset instructions regarding ‘enter the username or password to initiate a reset’.
When doing a password reset from the login popup, the new site setting requires an email address and not a username, but the instructions seem to allow both, and outcome make it seem like it worked:
No email is sent if a username is entered instead of an email, but the outcome text indicates that it should have worked.
Instructions don’t change regardless of the site setting:
I foresee lots of head-desk when people are sure they have the right username and never get password reset emails.