From 3fbad684c1423c724bc64a6299361f268e26ef2a Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Wed, 20 Sep 2017 10:31:01 -0700
Subject: [PATCH] More completely explain why we're refusing to send reset mail
 to an unverified address

Summary:
See PHI78. The user was getting this message and (reasonably) interpreted it to mean "reset mail can never be sent to unverified addresses".

Reword it to be more clear, albeit an entire paragraph long. I don't really have a good solution in these cases where we'd need a whole page to explain what's happening (this, plus "we can't tell you which address you should use because an attacker could get information if we did" and "this rule defuses the risk that an opportunistic attacker may try to compromise your account after you add an email you don't own by mistake"). We could write it up separately and link to it, but I feel like that stuff tends to get out of date.

Just land somewhere in the middle.

Test Plan: {F5189105}

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D18630
---
 .../auth/controller/PhabricatorEmailLoginController.php    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/applications/auth/controller/PhabricatorEmailLoginController.php b/src/applications/auth/controller/PhabricatorEmailLoginController.php
index 92accc7494..f57a29b11a 100644
--- a/src/applications/auth/controller/PhabricatorEmailLoginController.php
+++ b/src/applications/auth/controller/PhabricatorEmailLoginController.php
@@ -71,8 +71,11 @@ final class PhabricatorEmailLoginController
             $target_email->getUserPHID());
           if ($verified_addresses) {
             $errors[] = pht(
-              'That email address is not verified. You can only send '.
-              'password reset links to a verified address.');
+              'That email address is not verified, but the account it is '.
+              'connected to has at least one other verified address. When an '.
+              'account has at least one verified address, you can only send '.
+              'password reset links to one of the verified addresses. Try '.
+              'a verified address instead.');
             $e_email = pht('Unverified');
           }
         }