Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69676

The protectusernames doesn't protect unconfirmed users

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE

      Description

      If $CFG->protectusernames is on there is a very small edge case where the email can be disclosed.

      This is the lifecycle of an account:

      1) the email doesn't match
      2) the email does match but the email isn't confirmed yet
      3) the email does match and the email is confirmed

      The feedback show on the password forgot page for 1 & 3 is identical but for the middle state you get a form field validation error:

      Your registration has not yet been confirmed!

      It's a very marginal hole but easily fixed.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            brendanheywood Brendan Heywood
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: