Replies: 3 comments
-
Maybe notify your customers on account status change, e.g. via email? |
Beta Was this translation helpful? Give feedback.
0 replies
-
This is not a bug and even if it was: We do not provide bugfixes for Symfony 3.4 anymore. Moving to discussions. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Maybe you can add some help text when that error appears, something like: Error: Invalid credentials Then if the user is disabled, when sending the email to reset password you can validate this status and notify them by email. It is an idea, greetings. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Symfony version(s) affected: 3.4.49
When logging as a disabled user system throws "Invalid credentials". Before(3.4.45) it was a "Blocked account" message.
Perhaps it was affected by this patch: https://symfony.com/blog/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms
Disabled and not found customers are the same cases. Yes, I do not want to allow enumeration but how to tell the disabled customer that he is blocked and he needs to contact admin? Disabling "hide_user_not_found" is not an option.
Beta Was this translation helpful? Give feedback.
All reactions