I’m trying to build the password reset form and using the form “forgot_password_form”
I have specified the return URL after submission which works fine except I noticed an issue.
When someone enters a non-existing email account, it will default to a generic error message that comes from EE. The text is fine because it does not inform the person if the email exists or not. Just tells them if the email exists, a password reset link was sent. This is standard procedure since you don’t want to inform someone if the account does or does not exist.
The problem is that since I use the return URL in the form with a custom success template, this is quite different visually.
It means someone can use the form to check your database for registered emails if they just hit the EE form instead of my custom success message. Ideally, I would like to also show those error messages in my template and use the same success message regardless if the password reset link was sent or not.
I tried the error tag from the docs {errors}, but it does not seem to work.
Using the errors tags in my form they will actually render in the template instead of showing any error/user message after submission. Where or how do you use the errors tags?
I think I also hit a bug. The parameter password_reset_url= is passing a backslash at the end, which means the password link in the email always looks like:
example.com//your-reset-template
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.