In password recovery, don't reveal whether an e-mail address is valid (unless it is an org's e-mail address)

2017-12-06 14:07:38 -05:00 · 2017-12-06 14:07:38 -05:00 · 927d469db0
commit 927d469db0
parent 4a5626e64b
3 changed files with 8 additions and 6 deletions
--- a/static/directives/recovery-form.html
+++ b/static/directives/recovery-form.html
@ -5,7 +5,7 @@
  </div>
  <div ng-show="!sendingRecovery">
    <div class="co-alert co-alert-success" ng-show="sent.status == 'sent'">
-        Account recovery email was sent to {{ recovery.email }}.
+      Instructions on how to reset your password have been sent to {{ recovery.email }}. If you do not receive the email, please try again shortly.
    </div>
    <div class="co-alert co-alert-danger" ng-show="invalidRecovery">{{ errorMessage }}</div>
    <div class="co-alert co-alert-info" ng-show="sent.status == 'org'">