1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 08:42:41 +01:00

More completely explain why we're refusing to send reset mail to an unverified address

Summary:
See PHI78. The user was getting this message and (reasonably) interpreted it to mean "reset mail can never be sent to unverified addresses".

Reword it to be more clear, albeit an entire paragraph long. I don't really have a good solution in these cases where we'd need a whole page to explain what's happening (this, plus "we can't tell you which address you should use because an attacker could get information if we did" and "this rule defuses the risk that an opportunistic attacker may try to compromise your account after you add an email you don't own by mistake"). We could write it up separately and link to it, but I feel like that stuff tends to get out of date.

Just land somewhere in the middle.

Test Plan: {F5189105}

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D18630
This commit is contained in:
epriestley 2017-09-20 10:31:01 -07:00
parent 03e5d69817
commit 3fbad684c1

View file

@ -71,8 +71,11 @@ final class PhabricatorEmailLoginController
$target_email->getUserPHID()); $target_email->getUserPHID());
if ($verified_addresses) { if ($verified_addresses) {
$errors[] = pht( $errors[] = pht(
'That email address is not verified. You can only send '. 'That email address is not verified, but the account it is '.
'password reset links to a verified address.'); 'connected to has at least one other verified address. When an '.
'account has at least one verified address, you can only send '.
'password reset links to one of the verified addresses. Try '.
'a verified address instead.');
$e_email = pht('Unverified'); $e_email = pht('Unverified');
} }
} }