[wp-trac] [WordPress Trac] #12682: Multiple password reset emails can be annoying
WordPress Trac
noreply at wordpress.org
Tue Mar 4 04:42:15 UTC 2014
#12682: Multiple password reset emails can be annoying
----------------------------+-----------------------
Reporter: SergeyBiryukov | Owner:
Type: enhancement | Status: assigned
Priority: normal | Milestone: 3.9
Component: Users | Version: 2.9.2
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
----------------------------+-----------------------
Comment (by nacin):
I would suggest something a bit less harsh. I've totally done three or
four password requests for a service before I realize where the heck the
email is going. (Now imagine an attacker could fill up the quota.) What's
the appropriate balance between two kinds of annoyances? Something to
think about (and research). If someone provides an email address, is it
more lenient than a username, which is public?
Implementation-wise, I think this ideally hooks in on allow_password_reset
and does all of the logic there — it either updates metadata with a new
timestamp or returns WP_Error if requests are being made too quickly.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/12682#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list