Magento 2 forgot password doesn't check email exist exist or not
https://magento.stackexchange.com/questions/283288
-
08-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
Magento 2 forgot password doesn't check email exist or not. It gives the message
If there is an account associated with xxxx@xxxx.com you will receive an email with a link to reset your password.
It should give an error message if email not exist.
Soluzione
That would be security risk as any one can check if some user have account on the website or not . Then he just have to guess a password . So message should be always success .
If you want to change it , you can modify the logic in
magento/module-customer/Model/AccountManagement.phpin initiatePasswordReset method where customer is loaded . you can check if customer exists and throw error like
$this->messageManager->addErrorMessage(
__('The email address is does not exist. Verify the email address and try again.')
But i would strongly suggest not to change this logic as that would be security flaw
