Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

password reset request displays email address

edited August 2006 in Vanilla 1.0 Help
... even when the members email is hidden in his account, so everyone can type in a username in the request form and see the email address another thought to increase security is not to display the username in the support email ('hello username,') but to ask for the username in the pwd reset form?!
«1

Comments

  • Options
    I don't understand what request form ? You mean when applying as a new member ?i tried it and nothing like that happen
  • Options
    when you forgot your password... If I ask to reset your password, I will know your email address
  • Options
    edited August 2006
    ah I see when you submit the form, interesting anyway to hide it ?

    I figured how to get ride of it, in english definitions, line 109 remove the //1 and it removes the email so you don't see it
  • Options
    Agreed. This is a bit problematic if, say a spambot runs the user list against this form to collect email addresses... but it is useful so the user can see which of his dozens of email accounts he happened to register with...

    Perhaps we need a delegate here so that, if one wanted, we could parse out the mailbox name of the address and just return the domain... Or just do that by default in the core?
  • Options
    All we really need to do is port the JS function which is serving emails to the profile page to make it serve them to that page too. It was probably just an oversight on marks part.
  • Options
    Maybe so, but I still believe its a security breach to make avaliable an email address that is believed private.
  • Options
    Hmmm. I guess so.
  • Options
    Just upload a patch: http://lussumo.com/addons/?PostBackAction=AddOn&Success=1&AddOnID=142 Still need to test it.
  • Options
    edited August 2006
    umm found 2 mistakes... still debugging
  • Options
    edited August 2006
    I have got a problem to extends the UserManager class. I tried:class UserManagerPatchRequestPasswordReset extends UserManager {...
    And got this error message:PHP Fatal error: Class 'UserManager' not found in /home/dinoboff/public_html/extensions/PatchRequestPassword/default.php
    Any idea?
  • Options
    edited August 2006
    Ok it is working...

    Download http://lussumo.com/addons/?PostBackAction=AddOn&Success=1&AddOnID=142,
    install it in the extensions folder,
    And enable the extension.

    NB: It is only work with Vanilla 1.0. If you are using vanilla 1.0.1 from the svn, you will have to wait the next update of Mark.
    Also, if you need to translate the extension you just need to add "$Context->Dictionary['PatchRequestPasswordResetYourMail'] = 'your email'; in conf/language.php;"
  • Options
    its not working with 1.0 only get a blank page
  • Options
    will check that...
  • Options
    Where do you get a blank screen? Do you have access to error.log? what is the error message?
  • Options
    edited August 2006
    I don't have a blank screen (so please give me your error message).
  • Options
    edited August 2006
    oups I trought you were talking about the email verification extension... I checked on vanilla 1.0, (apache 2.0.59, php 5.1.2) and it is working fine for me. Do you have the error message?
  • Options
    edited August 2006
    strangest thing without ever enabling it, just copying it into extensions folder it results in a blank page, i haven't check error log how do I do that on mac ?
  • Options
    edited August 2006
    OS X is like linux?

    something like /var/log/error.log or /var/log/httpd/error.log or /var/log/apache/error.log
  • Options
    I think it is "/private/var/log/httpd/error_log"
  • Options
    error log doesn't show anything
This discussion has been closed.