Notifications
Clear all

wpForo 1.x.x [Closed] Reset password error

5 Posts
3 Users
0 Likes
2,063 Views
Posts: 23
Topic starter
(@mistral)
Eminent Member
Joined: 5 years ago

Hi Guys

2 requests or queries

When resetting a password and using a non matching username/email the error shown is 'invalidcombo'.

This is not great for 2 reasons

1. The message is not user friendly, can it be changed? I do not see it listed in the 'Front-end Phrases'

2. It is bad practise to advise users if they were or were not using a valid username/email as it allows email harvesting. The message should be generic regardless of the validity 'If a matching username or email was found, you will receive an email to reset your password.' I appreciate this is not the best UX but is the best security model.

Ideally there would be a setting to allow choice, to show errors or a generic response.

 

Thanks

Mistral

4 Replies
Posts: 1602
(@anonymous20)
Noble Member
Joined: 8 years ago

Since wpForo doesn't provide any login/registration functions but only a "form" for it, that error comes from Wordpress core or some other plugin you use.

Posts: 23
Topic starter
(@mistral)
Eminent Member
Joined: 5 years ago

Hi

Please try and reset the password on this very forum and see the error yourself.

I agree this is originating in Wordpress core, but you should be processing it. In the wp-login.php for example they do this;

$errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or email.'));

Invalidcombo is the error type not the message....

Regards

Mistral

Robert
Posts: 10499
Admin
(@robert)
Support Team
Joined: 8 years ago

@mistral,

This error doesn't come from wpForo. There is no such error message in wpForo.I searched in whole code of wpForo plugin and didn't find. This is not wpForo code. Please let me know where you found this code. What is the file and directory name?

Some plugin uses WP hooks and adds its error on Password Reset process. wpForo only provides forms and pages but the error message come from other plugins.

Posts: 23
Topic starter
(@mistral)
Eminent Member
Joined: 5 years ago

@robert

I'm not sure you have read my response. In any case I will try and provide some more feedback.

Yes, the error is coming from Wordpress core. For some reason that particular error will not return a nice error string. So in wpforo you have this line, the bold bit actually returns null.

Line 1944 wpf-hooks.php

WPF()->notice->add(join( ',', $errors->get_error_codes()), 'error');

In the standard wp-login.php around line 335 they check if there is no error code and add a new error to fix this.

if ( $errors->get_error_code() )
return $errors;

if ( !$user_data ) {
$errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or email.'));
return $errors;
}

With a small bit of refactoring you can also take measures to see if the get_error_codes() returns null and add this error.

Hope that helps

Mistral