FEATURE: inform users if forgot password works or not

FIX: flash dialog in forgot password often had wrong color (this can be disabled by setting forgot_password_verbose to false)
discourse · Sep 11, 2014 · 61bcde6 · 61bcde6
1 parent aa21969
commit 61bcde6
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 8 deletions.
diff --git a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6 b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
@@ -17,18 +17,28 @@ export default DiscourseController.extend(ModalFunctionality, {
 
       this.set('disabled', true);
 
-      var success = function() {
+      var success = function(data) {
         // don't tell people what happened, this keeps it more secure (ensure same on server)
         var escaped = Handlebars.Utils.escapeExpression(self.get('accountEmailOrUsername'));
-        if (self.get('accountEmailOrUsername').match(/@/)) {
-          self.flash(I18n.t('forgot_password.complete_email', {email: escaped}));
-        } else {
-          self.flash(I18n.t('forgot_password.complete_username', {username: escaped}));
+        var isEmail = self.get('accountEmailOrUsername').match(/@/);
+
+        var key = 'forgot_password.complete_' + (isEmail ? 'email' : 'username');
+        var extraClass;
+
+        if (data.user_found === true) {
+          key += '_found';
         }
+
+        if (data.user_found === false) {
+          key += '_not_found';
+          extraClass = 'error';
+        }
+
+        self.flash(I18n.t(key, {email: escaped, username: escaped}), extraClass);
       };
 
       var fail = function(e) {
-        self.flash(e.responseJSON.errors[0], 'alert-error');
+        self.flash(e.responseJSON.errors[0], 'error');
       };
 
       Discourse.ajax('/session/forgot_password', {

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
@@ -108,8 +108,13 @@ def forgot_password
       email_token = user.email_tokens.create(email: user.email)
       Jobs.enqueue(:user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
     end
-    # always render of so we don't leak information
-    render json: {result: "ok"}
+
+    json = { result: "ok" }
+    if SiteSetting.forgot_password_verbose
+      json[:user_found] = user.present?
+    end
+
+    render json: json
 
   rescue RateLimiter::LimitExceeded
     render_json_error(I18n.t("rate_limiter.slow_down"))

diff --git a/config/locales/client.en.yml b/config/locales/client.en.yml
@@ -586,7 +586,11 @@ en:
       reset: "Reset Password"
       complete_username: "If an account matches the username <b>%{username}</b>, you should receive an email with instructions on how to reset your password shortly."
       complete_email: "If an account matches <b>%{email}</b>, you should receive an email with instructions on how to reset your password shortly."
+      complete_username_found: "We found an account that matches the username <b>%{username}</b>, you should receive an email with instructions on how to reset your password shortly."
+      complete_email_found: "We found an account that matches <b>%{email}</b>, you should receive an email with instructions on how to reset your password shortly."
 
+      complete_username_not_found: "No account matches the username <b>%{username}</b>"
+      complete_email_not_found: "No account matches <b>%{email}</b>"
     login:
       title: "Log In"
       username: "User"

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -749,6 +749,7 @@ en:
     allow_index_in_robots_txt: "Specify in robots.txt that this site is allowed to be indexed by web search engines."
     email_domains_blacklist: "A list of email domains that users are not allowed to register accounts with. Example: mailinator.com trashmail.net"
     email_domains_whitelist: "A list of email domains that users MUST register accounts with. WARNING: Users with email domains other than those listed will not be allowed!"
+    forgot_password_verbose: "Inform users of an account's existance when they use the forgot password dialog."
     version_checks: "Ping the Discourse Hub for version updates and show new version messages on the /admin dashboard"
     new_version_emails: "Send an email to the contact_email address when a new version of Discourse is available."
 

diff --git a/config/site_settings.yml b/config/site_settings.yml
@@ -239,6 +239,7 @@ login:
   email_domains_whitelist:
     default: ''
     type: list
+  forgot_password_verbose: true
 
 users:
   min_username_length: