security: fixed returning info on weither user exists or not in password reset call, fixes #7619

2025-02-10 15:45:43 -06:00 · 2017-04-11 16:50:16 +02:00 · 2017-04-11 16:50:16 +02:00 · 07466b6725
commit 07466b6725
parent a109049de4
2 changed files with 13 additions and 5 deletions
--- a/pkg/api/password.go
+++ b/pkg/api/password.go
@ -12,7 +12,8 @@ func SendResetPasswordEmail(c *middleware.Context, form dtos.SendResetPasswordEm
 	userQuery := m.GetUserByLoginQuery{LoginOrEmail: form.UserOrEmail}

 	if err := bus.Dispatch(&userQuery); err != nil {
-		return ApiError(404, "User does not exist", err)
+		c.Logger.Info("Requested password reset for user that was not found", "user", userQuery.LoginOrEmail)
+		return ApiError(200, "Email sent", err)
 	}

 	emailCmd := m.SendResetPasswordEmailCommand{User: userQuery.Result}
--- a/public/app/partials/reset_password.html
+++ b/public/app/partials/reset_password.html
@ -21,15 +21,22 @@
 				</div>

 				<div class="gf-form-button-row">
+					<br />
+					<br />
 					<button type="submit" class="btn btn-large" ng-click="sendResetEmail();" ng-class="{'btn-inverse': !sendResetForm.$valid, 'btn-primary': sendResetForm.$valid}">
-						Send reset instructions
+						Reset Password
 					</button>
 				</div>
 			</form>

-			<h5 style="text-align: center; padding: 20px;" ng-if="mode === 'email-sent'">
-				An email with a reset link as been sent to the email address, you should receive it shortly.
-			</h5>
+
+			<div style="text-align: center; padding: 20px;" ng-if="mode === 'email-sent'">
+				An email with a reset link as been sent to the email address. <br>
+				You should receive it shortly.
+			</div>
+
+			<br />
+			<br />

 			<form name="resetForm" class="login-form gf-form-group" ng-show="mode === 'reset'">
 				<div class="gf-form">