• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Lost Password form accepting empty field as valid email account

japersonal

Active member
#1
Hi,

When you use the Lost Password form and enter an email account which doesn't exist in the database, there is a valid error message:

The requested member could not be found.
But when you leave the e-mail field empty and clic on the "Reset Password" button, your system accepts that as a valid input and return a page with this message:

A password reset request has been emailed to you. Please follow the instructions in that email.
OK, this might be a very minor glitch... but I'm thinking of a scenario where a user was too quick or too distracted and forgot to enter his/her valid email account. He or she will end up waiting for a message which will never arrive... not to mention an additional burden for the forum admins who will receive a request/complaint from this user because he/she did not receive the email to reset his/her password.

A little check and warning like the "Please enter a valid email." you have in place for the contact form when the e-mail field was left empty would be a good fix for this situation. :)

Thank you!
 
Last edited:

Brogan

XenForo moderator
Staff member
#4
Do you have any add-ons installed as that is not standard behaviour.

You can check for yourself by testing it here on this site.
Leaving the field blank results in an error message.

That page only works when not logged in so how would the system know which user was requesting the password reset?
 

japersonal

Active member
#5
Do you have any add-ons installed as that is not standard behaviour.
Yes, three of them:

[bd] Widget Framework 2.4.3
[bd] Rotating Ads 1.6.2
Import Tools by Waindigo 1.0.1

Plus the language pack for the Spanish language.

You can check for yourself by testing it here on this site.
Leaving the field blank results in an error message.
I see. In my website its behaviour is slightly different, as explained above.

That page only works when not logged in so how would the system know which user was requesting the password reset?
I don't know. I'm just posting my findings here. Feel free to try by yourself at my site. You will find the selector at the bottom to change language into English.
 

Mike

XenForo developer
Staff member
#6
You don't happen to have a user with no name, do you? (From an import.)

I'd also search your users by that email address.

The code looks up the user by email if it appears to be one (which a string without @ never matches) and then by username.
 

japersonal

Active member
#7
You don't happen to have a user with no name, do you? (From an import.)
Eureka!

Yes, from a vBulletin import. And with status "Awaiting email confirmation". Oh my God. How did this happen? A missing username because of the import process? Or vBulletin allowed a user to be registered with an "empty" username?

Either way, thank you very much. I'm sorry for the troubles. And my intention was honest, to be helpful.