Resolution: Not a bug
Affects Version/s: 3.5.13, 3.7.7, 3.8.4, 3.9.1, 3.10
Fix Version/s: None
Affected Branches:MOODLE_310_STABLE, MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
If $CFG->protectusernames is on there is a very small edge case where the email can be disclosed.
This is the lifecycle of an account:
1) the email doesn't match
2) the email does match but the email isn't confirmed yet
3) the email does match and the email is confirmed
The feedback show on the password forgot page for 1 & 3 is identical but for the middle state you get a form field validation error:
Your registration has not yet been confirmed!
It's a very marginal hole but easily fixed.