Reproduce:
-
Enable the site setting
hide email address taken, which is normally disabled, and described as “Don’t inform users that an account exists with a given email address during signup and from the forgot password form.” -
From a new browser session, attempt to log in
with email, and supply an invalid username, such as codinghorror.
Expected behavior
The error message text from one of the following strings apppears, not divulging the existince or non-existence of an account.
js.email_login.complete_email:
If an account matches codinghorror@example.com, you should receive an email with a login link shortly.
js.email_login.complete_username:
If an account matches codinghorror, you should receive an email with a login link shortly.
Actual behavior
The error message text incorrectly indicates that there was a positive match, even when there was no match.
js.email_login.complete_email_found:
We found an account that matches codinghorror@example.com, you should receive an email with a login link shortly.
js.email_login.complete_username_found:
We found an account that matches the username codinghorror, you should receive an email with a login link shortly.
Commentary
Although this works correctly for the “reset password” process, it seems the same logic should hold through with the login by email workflow.
