DEV: Change hide_email_address_taken default to true (#30293)

We're changing the default of hide_email_address_taken to true. This is a trade-off we want to make, as it prevents account enumeration with minimal impact on legitimate users. If you forget you have an account and try to sign up again with the same e-mail you'll receive an e-mail letting you know.
2025-02-25 18:55:32 -06:00 · 2024-12-17 10:46:04 +08:00
parent 0410c07342
commit c1c7ea8959
12 changed files with 55 additions and 12 deletions
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -656,6 +656,8 @@ RSpec.describe "users" do
  end

  path "/session/forgot_password.json" do
+    SiteSetting.hide_email_address_taken = false
+
    post "Send password reset email" do
      tags "Users"
      operationId "sendPasswordResetEmail"
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -1013,6 +1013,8 @@ RSpec.describe UsersController do
    end

    context "when creating as active" do
+      before { SiteSetting.hide_email_address_taken = false }
+
      it "won't create the user as active" do
        post "/u.json", params: post_user_params.merge(active: true)
        expect(response.status).to eq(200)
@@ -2042,6 +2044,8 @@ RSpec.describe UsersController do
  end

  describe "#check_email" do
+    before { SiteSetting.hide_email_address_taken = false }
+
    it "returns success if hide_email_address_taken is true" do
      SiteSetting.hide_email_address_taken = true

--- a/spec/requests/users_email_controller_spec.rb
+++ b/spec/requests/users_email_controller_spec.rb
@@ -207,12 +207,26 @@ RSpec.describe UsersEmailController do
      context "when new email is different case of existing email" do
        fab!(:other_user) { Fabricate(:user, email: "case.insensitive@gmail.com") }

-        it "raises an error" do
-          put "/u/#{user.username}/preferences/email.json",
-              params: {
-                email: other_user.email.upcase,
-              }
-          expect(response).to_not be_successful
+        context "when hiding taken e-mails" do
+          it "raises an error" do
+            put "/u/#{user.username}/preferences/email.json",
+                params: {
+                  email: other_user.email.upcase,
+                }
+            expect(response).to be_successful
+          end
+        end
+
+        context "when revealing taken e-mails" do
+          before { SiteSetting.hide_email_address_taken = false }
+
+          it "raises an error" do
+            put "/u/#{user.username}/preferences/email.json",
+                params: {
+                  email: other_user.email.upcase,
+                }
+            expect(response).to_not be_successful
+          end
        end
      end