From 4f5f8de2e8447233d7236c9f024dd1bf0334a3b4 Mon Sep 17 00:00:00 2001 From: Ahmed Awan Date: Mon, 1 Jul 2024 12:36:41 -0500 Subject: [PATCH] [24.0] Return generic message for password reset email This prevents existence of a user account from being queryable through password reset. We now return `None` and display a generic message regardless of a prt being created or not. Fixes https://github.com/galaxyproject/galaxy/issues/18475 --- lib/galaxy/managers/users.py | 2 +- lib/galaxy/webapps/galaxy/controllers/user.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/galaxy/managers/users.py b/lib/galaxy/managers/users.py index 2196857cf479..4a9501585ee2 100644 --- a/lib/galaxy/managers/users.py +++ b/lib/galaxy/managers/users.py @@ -609,7 +609,7 @@ def send_reset_email(self, trans, payload, **kwd): log.debug(body) return f"Failed to submit email. Please contact the administrator: {util.unicodify(e)}" else: - return "Failed to produce password reset token. User not found." + return None def get_reset_token(self, trans, email): reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User) diff --git a/lib/galaxy/webapps/galaxy/controllers/user.py b/lib/galaxy/webapps/galaxy/controllers/user.py index e661f3c40afe..d8c1ed5541c4 100644 --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -342,7 +342,7 @@ def reset_password(self, trans, payload=None, **kwd): payload = payload or {} if message := self.user_manager.send_reset_email(trans, payload): return self.message_exception(trans, message) - return {"message": "Reset link has been sent to your email."} + return {"message": "If an account exists for this email address a confirmation email will be dispatched."} def __get_redirect_url(self, redirect): if not redirect or redirect == "None":