In password recovery, don't reveal whether an e-mail address is valid (unless it is an org's e-mail address)

2017-12-06 14:07:38 -05:00 · 2017-12-06 14:07:38 -05:00 · 927d469db0
commit 927d469db0
parent 4a5626e64b
3 changed files with 8 additions and 6 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -829,7 +829,9 @@ class Recovery(ApiResource):
    email = request.get_json()['email']
    user = model.user.find_user_by_email(email)
    if not user:
-      raise model.InvalidEmailAddressException('Email address was not found.')
+      return {
+        'status': 'sent',
+      }

    if user.organization:
      send_org_recovery_email(user, model.organization.get_admin_users(user))