Hi, I just realized, the password recovery function unveils a user's password.
In a wiki with registration, and Email verification, where the XWiki space must currently be enabled to be viewed by everybdy, this could be used by spammers(and others who like to collect email addresses) to harvest email addresses by caling the resetpassword function for every user they see on the "AllUsers" page. I'd propose to not show the Email address to which a password reminder is sent. Henning -- Henning Sprang http://www.sprang.de | http://lazyb0y.blogspot.com/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
