Hide_email_address_taken needs pass reset text modification

2.8.0 beta10 - hide_email_address_taken needs (automatic) tweaks to the site settings, or a warning to edit them to make sense.

If using the new feature 2.8.0.beta10: API Improvements, Domain Restricted Invite Links, Tab to Indent, and more

image747×70 4.72 KB

Enabling the setting changes the outcome text from a password reset of “an account matching xyz/foo@bar.com was found, and an email was sent” to “if an account matching xyz/foo@bar.com exists it will get an email with reset instructions”. good. Problem: It doesn’t change the password reset instructions regarding ‘enter the username or password to initiate a reset’.

When doing a password reset from the login popup, the new site setting requires an email address and not a username, but the instructions seem to allow both, and outcome make it seem like it worked:

image694×174 13.6 KB

No email is sent if a username is entered instead of an email, but the outcome text indicates that it should have worked.

Instructions don’t change regardless of the site setting:

I foresee lots of head-desk when people are sure they have the right username and never get password reset emails.

I am having trouble reproducing this on latest:

image1063×554 52.2 KB

image1297×503 52.8 KB

Can anyone else reproduce the issue?

Screenshot_20211229-1825451080×2068 202 KB

I suspect it may have been a cached page issue. I was testing in an incognito tab and refreshing between setting changes. The localization text seems right and in mobile I get the correct behaviour. Will try again when I’m near a computer. Apologies if this was a red herring.

Edit: trying again from a new computer with no cache…it is correct. moral of the story…be more thorough I guess. Thanks for looking into it friends!

I can’t reproduce it on my test instance running latest either.