Nextcloud version: Nextcloud 19.0.3
Operating system and version: centos-release-7-8.2003.0.el7.centos.x86_64 (nethserver installation)
Apache or nginx version: httpd-2.4.6-93.el7.centos.x86_64
PHP version: 7.2
Hello,
I searched for someone having the same issue with no results. The problem is, that no matter what a user types in the password-reset form (where username or email is needed) the message that is shown is “A password reset message has been sent to the e-mail address of this account…” meaning that the email was sent successfully. The same seems to be happening even when there is an SMTP or any other error. The system works OK, where existent users do receive the password reset email, but the message displayed is wrong, making users believe that they typed their email correctly.
Actually in the logs a Warning is shown:
“Could not send password reset email: Could not find user”
without any other relevant log entries.
any information regarding this problem would be greatly appreciated.
I do not really understand your problem. But if e.g. the e-mail is wrong you also get this message because it is for a hacker to much information that the e-mail is valid or is not valid.
But perhaps of the smtp error you can open an issue . I think it is possible to tell the user and the hacker this error.
Yes, I agree giving too much information is not advised, but at this case this message is misleading to users. The problem is caused when users mistype their email address, and then they wait to receive the password reset email forever, often reporting problems where they do not exist.
Actually I thought that this behavior is not by design in Nextcloud, having in mind the behavior of other similar services where the user is informed if the account is not found. But I may be wrong.
If this is by design, and based on the fact that there is not problem with the operation at all, I don’t think it is so much an issue, but more of a enhancement that I would not want to request. I can modify the message displayed to be more informative for the users as a workaround.
Having to change the default behavior for that, would also require to add it as an option for the administrators that do not want to give this information.
If this is not the default behavior then probably there is something wrong with my installation.