search

globaleaks / globaleaks-whistleblowing-software

GlobaLeaks is a free and open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.25k stars 274 forks source link

Missing error alert if user inserts a wrong Recovery Key #4297

Closed eleibr closed 2 weeks ago

eleibr commented 2 weeks ago

What version of GlobaLeaks are you using?

4.13.11 4.15.9

What browser(s) are you seeing the problem on?

All

What operating system(s) are you seeing the problem on?

Windows, macOS, Android, iOS, Linux

Describe the issue

When making the password recovery request, if you enter a wrong Recovery Key, the system does not return any error message, but the modal dialog remains open, with the field for entering the text blanked out. In this way the user cannot notice if the key in his possession is incorrect. These operations are not tracked in the application log.

rk1 rk2

This is extremely misleading because neither the user nor the Administrator can understand if the recovery key is incorrect or compromised

Proposed solution

Show an error to the user

evilaliv3 commented 2 weeks ago

Thank you @eleibr , we have just corrected this in releae 5.0.25