[24.0] Return generic message for password reset email

This prevents existence of a user account from being queryable through password reset. We now return `None` and display a generic message regardless of a prt being created or not. Fixes galaxyproject#18475
ahmedhamidawan · Jul 1, 2024 · 4f5f8de · 4f5f8de
1 parent 58c55d4
commit 4f5f8de
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/galaxy/managers/users.py b/lib/galaxy/managers/users.py
@@ -609,7 +609,7 @@ def send_reset_email(self, trans, payload, **kwd):
                     log.debug(body)
                     return f"Failed to submit email. Please contact the administrator: {util.unicodify(e)}"
             else:
-                return "Failed to produce password reset token. User not found."
+                return None
 
     def get_reset_token(self, trans, email):
         reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User)

diff --git a/lib/galaxy/webapps/galaxy/controllers/user.py b/lib/galaxy/webapps/galaxy/controllers/user.py
@@ -342,7 +342,7 @@ def reset_password(self, trans, payload=None, **kwd):
         payload = payload or {}
         if message := self.user_manager.send_reset_email(trans, payload):
             return self.message_exception(trans, message)
-        return {"message": "Reset link has been sent to your email."}
+        return {"message": "If an account exists for this email address a confirmation email will be dispatched."}
 
     def __get_redirect_url(self, redirect):
         if not redirect or redirect == "None":