"Login by email" switches to incorrect strings when "hide email address" activated

Reproduce:

  1. Enable the site setting hide email address taken, which is normally disabled, and described as “Don’t inform users that an account exists with a given email address during signup and from the forgot password form.”

  2. From a new browser session, attempt to log in :email: with email, and supply an invalid username, such as codinghorror.

Expected behavior

The error message text from one of the following strings apppears, not divulging the existince or non-existence of an account.

js.email_login.complete_email:

If an account matches codinghorror@example.com, you should receive an email with a login link shortly.

js.email_login.complete_username:

If an account matches codinghorror, you should receive an email with a login link shortly.

Actual behavior

The error message text incorrectly indicates that there was a positive match, even when there was no match.

js.email_login.complete_email_found:

We found an account that matches codinghorror@example.com, you should receive an email with a login link shortly.

js.email_login.complete_username_found:

We found an account that matches the username codinghorror, you should receive an email with a login link shortly.

Commentary

Although this works correctly for the “reset password” process, it seems the same logic should hold through with the login by email workflow.

2 Likes

I do not see this as a bug. The behavior is exactly as described above.

But if we have the other copy we should be using it in this scenario @eviltrout

1 Like

Sorry if this was confusing. The bug as perceived, is that when (and only when) hide email address taken is set active, and non-matching values are entered for email-based login:

Instead of displaying the intentionally-ambiguous js.email_login.complete_email and js.email_login.complete_username strings, it instead (mistakenly) displays a false positive using strings js.email_login.complete_email_found and js.email_login.complete_username_found.

If the site setting is disabled (default) it correctly displays “no match found” strings.

4 Likes

This should fix it:

8 Likes

Yes, this looks correct now. Thanks! :trophy:

5 Likes