blag
commented
3 years ago This is also true through the settings form, where an existing user could attempt to change their email address to email addresses that are already registered.
I don't see a way to enable this feature without giving the user some ability to enumerate registered emails, so it would be nice if there was a configuration option to disable the feature altogether.
Describe the bug This isn't a very serious security issue, however the best practice when it comes to password reset forms is that you don't give the user a reason to know whether an email exist in the database or not. Right not the user receives a validation error that says that the email doesn't exist.
Expected behavior Instead the user should get the message
If the email exists it will be sent to your email address.