From e61fa6795e9844c78e130533a0f20d5dee8b7201 Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@znuny.com>
Date: Thu, 13 Feb 2020 12:56:31 +0100
Subject: [PATCH] Enhancement: Reduce shown messages after password
 reset/verify to one single version.

---
 .../app/controllers/password_reset.coffee     | 21 ++++++-------------
 .../app/views/password/reset.jst.eco          |  5 ++++-
 app/controllers/users_controller.rb           | 15 +++++++------
 .../signup_password_change_and_reset_test.rb  |  4 +++-
 4 files changed, 20 insertions(+), 25 deletions(-)

diff --git a/app/assets/javascripts/app/controllers/password_reset.coffee b/app/assets/javascripts/app/controllers/password_reset.coffee
index ea392d9aa..ea1060dea 100644
--- a/app/assets/javascripts/app/controllers/password_reset.coffee
+++ b/app/assets/javascripts/app/controllers/password_reset.coffee
@@ -58,22 +58,13 @@ class Index extends App.ControllerContent
     )
 
   success: (data) =>
-    if data.message is 'ok'
 
-      # if in developer mode, redirect to set new password
-      if data.token && @Config.get('developer_mode') is true
-        redirect = =>
-          @navigate "#password_reset_verify/#{data.token}"
-        @delay(redirect, 2000)
-      @render(sent: true)
-
-    else
-      @$('[name=username]').val('')
-      @notify(
-        type: 'error'
-        msg:  App.i18n.translateContent('Username or email address invalid, please try again.')
-      )
-      @formEnable( @el.find('.form-password') )
+    # if in developer mode, redirect to set new password
+    if data.token && @Config.get('developer_mode') is true
+      redirect = =>
+        @navigate "#password_reset_verify/#{data.token}"
+      @delay(redirect, 2000)
+    @render(sent: true)
 
 App.Config.set('password_reset', Index, 'Routes')
 
diff --git a/app/assets/javascripts/app/views/password/reset.jst.eco b/app/assets/javascripts/app/views/password/reset.jst.eco
index 1fd5fc24a..2892223a3 100644
--- a/app/assets/javascripts/app/views/password/reset.jst.eco
+++ b/app/assets/javascripts/app/views/password/reset.jst.eco
@@ -4,7 +4,10 @@
       <% if @sent: %>
         <h2><%- @T('We\'ve sent password reset instructions to your email address.') %><small></small></h2>
         <p><%- @T('If you don\'t receive instructions within a minute or two, check your email\'s spam and junk filters, or try resending your request.') %></p>
-        <a href="#" class="subtle retry">&raquo; <%- @T('again') %> &laquo;</a>
+        <div class="form-controls">
+          <a class="btn btn--text btn--subtle js-cancel" href="#login"><%- @T( 'Cancel & Go Back' ) %></a>
+          <button class="btn btn--primary retry align-right"><%- @T( 'again' ) %></button>
+        </div>
       <% else: %>
         <h2><%- @T( 'Forgot your password?' ) %><small></small></h2>
         <form class="form-password">
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 9c77fbc1f..257df6ab9 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -534,9 +534,12 @@ curl http://localhost/api/v1/users/email_verify_send -v -u #{login}:#{password}
 
     raise Exceptions::UnprocessableEntity, 'No email!' if !params[:email]
 
-    # check is verify is possible to send
     user = User.find_by(email: params[:email].downcase)
-    raise Exceptions::UnprocessableEntity, 'No such user!' if !user
+    if !user
+      # result is always positive to avoid leaking of existing user accounts
+      render json: { message: 'ok' }, status: :ok
+      return
+    end
 
     #if user.verified == true
     #  render json: { error: 'Already verified!' }, status: :unprocessable_entity
@@ -615,14 +618,10 @@ curl http://localhost/api/v1/users/password_reset -v -u #{login}:#{password} -H
         render json: { message: 'ok', token: result[:token].name }, status: :ok
         return
       end
-
-      # token sent to user, send ok to browser
-      render json: { message: 'ok' }, status: :ok
-      return
     end
 
-    # unable to generate token
-    render json: { message: 'failed' }, status: :ok
+    # result is always positive to avoid leaking of existing user accounts
+    render json: { message: 'ok' }, status: :ok
   end
 
 =begin
diff --git a/test/browser/signup_password_change_and_reset_test.rb b/test/browser/signup_password_change_and_reset_test.rb
index dd2d316e7..333329384 100644
--- a/test/browser/signup_password_change_and_reset_test.rb
+++ b/test/browser/signup_password_change_and_reset_test.rb
@@ -208,9 +208,11 @@ class SignupPasswordChangeAndResetTest < TestCase
     click(css: '.content .btn--primary')
     watch_for(
       css:   'body',
-      value: 'address invalid',
+      value: 'sent password reset instructions',
     )
 
+    click(css: '.content .btn--primary')
+
     set(
       css:   'input[name="username"]',
       value: signup_user_email,