Open shane-clickingmad opened 2 years ago
Some could argue that this is the new expected behavior as it was the intention to show the detailed error messages only when debug is enabled and not give an info whether that account exists or not. I'm not sure how to solve this issue without some "is this an captcha error message or not" check. As a workaround we could add that info to the message mention issues with captcha.
From a security perspective I agree it shouldn't be showing detailed error messages and confirming the account exists or not, however as it stands disabling the elseif condition completely breaks the user journey if reCAPTCHA is enabled and not completed.
Sending the user to a page, with both an error message, and a notice confirming the email was sent is confusing. Then asking them to enter the code from an email they were never sent just adds to that confusion.
Surly it would make more sense to change the error message shown within the elseif more generic rather then outright disable it when debug is disabled?
Steps to reproduce the issue
Enable reCAPTCHA and submit a password reset, without completing the reCAPTCHA.
Expected result
reCAPTCHA validation error, and redirect back to same view.
Actual result
A validation error is show, in addition a redirection to layout=confirm and a notice confirming complete (no email is sent)
System information (as much as possible)
3.10.9 (issue wasn't in 3.10.8)
Additional comments
Looks like this was introduced with the following code and commit.
https://github.com/joomla/joomla-cms/commit/07b7b8473855a791ad4c58a4d8d55274aa05bf7a
elseif ($return === false && JDEBUG)