When a user requests to reset their password, the system does not validate whether the email exists in the database. It sends a reset password email to any email address entered, regardless of whether it is registered in the system or not. This issue can lead to confusion for users and potentially allow the system to send unnecessary emails.
Steps to Reproduce
Go to the password reset page.
Enter any email address (even one not registered in the system).
Click on the "Reset Password" button.
Notice that an email is sent to the provided address, regardless of its existence in the database.
Expected Behavior
The system should first check if the email exists in the database.
If the email does not exist, it should display an error message like "Email not found" and not send a reset email.
If the email exists, it should proceed with sending the reset email.
Actual Behavior
The system sends a password reset email to any email address provided, even if it is not registered in the database.
Possible Fix
Modify the email validation logic to ensure the email exists in the database before sending the reset password email.
If the email does not exist, return an appropriate error message to the user and do not trigger the email send.
Description
When a user requests to reset their password, the system does not validate whether the email exists in the database. It sends a reset password email to any email address entered, regardless of whether it is registered in the system or not. This issue can lead to confusion for users and potentially allow the system to send unnecessary emails.
Steps to Reproduce
Go to the password reset page.
Enter any email address (even one not registered in the system).
Click on the "Reset Password" button.
Notice that an email is sent to the provided address, regardless of its existence in the database.
Expected Behavior
The system should first check if the email exists in the database. If the email does not exist, it should display an error message like "Email not found" and not send a reset email. If the email exists, it should proceed with sending the reset email. Actual Behavior The system sends a password reset email to any email address provided, even if it is not registered in the database.
Possible Fix
Modify the email validation logic to ensure the email exists in the database before sending the reset password email. If the email does not exist, return an appropriate error message to the user and do not trigger the email send.