[BUG] Password reset can inadvertently expose email address

[drdelaney]

Please prefix your issue title with one of the following: [BUG], [ISSUE], [FEATURE REQUEST], [MODULE REQUEST], [OTHER].

Replace everything between stars with current version of your facileManager and module installations:
fM Version : 4.5.0 fmDNS Version : 5.3.3

In raising this issue, I confirm the following (please check boxes, eg [X]):

• [x] I have read and understood the contributors guide.
• [x] I have checked that the bug-fix I am reporting can be replicated, or that the feature I am suggesting isn't already present.
• [x] I have checked that the issue I'm posting isn't already reported.
• [x] I have checked that the issue I'm posting isn't already solved and no duplicates exist in closed issues and opened issues
• [x] I have checked the pull requests tab for existing solutions/implementations to my issue/suggestion.

---

(BUG | ISSUE) Expected Behavior: Display generic message, like it does for an invalid user to not expose a user or email

(BUG | ISSUE) Actual Behavior: Displays email address for the user if valid, report issue to logs instead, or maybe throw a generic SMTP error up for the user (maybe for all users even if invalid, otherwise this can be used to verify valid accounts)

(BUG | ISSUE) Steps to reproduce: Break your email setup so messages will not be relayed.

When trying to reset my password for my admin, I noticed it would say it sent me an email when the user was invalid (should probably say email will be sent if user is valid, but that is out of scope for this issue)

But when I used a valid user, but with SMTP broken, I got the following:

Mailer Error: SMTP Error: The following recipients failed: myvalid@email.here SMTP server error: 4.7.1 : Relay access denied

[WillyXJ]

Thanks for the report. Since fM uses PHPMailer and the errors come from that class, the next version will contain a fix to hide mailing errors unless the "Show Errors" setting is enabled.

[WillyXJ]

This is now fixed in fM 4.6.0 and later.