Open pral2a opened 2 years ago
Describe the bug Looks like recovery password controller doesn't limit the number of requests, allowing someone to programatically use it to generate email spam or overload the SMTP service
To Reproduce Steps to reproduce the behaviour:
Expected behaviour Rate limit password resets by email to X amount per hour. Other limitation (ip) can also be used.
Additional context The issue was reported by an unknown user at webmasters (at) fablabs.io. This is not a high priority issue.
Describe the bug Looks like recovery password controller doesn't limit the number of requests, allowing someone to programatically use it to generate email spam or overload the SMTP service
To Reproduce Steps to reproduce the behaviour:
Expected behaviour Rate limit password resets by email to X amount per hour. Other limitation (ip) can also be used.
Additional context The issue was reported by an unknown user at webmasters (at) fablabs.io. This is not a high priority issue.