Security: Always show the password reset link sent message (#7712)

resources/login.php

@@ -148,30 +148,19 @@
 							//send reset link
 								if (send_email($email, $email_subject, $email_body, $eml_error)) {
 									//email sent
-									message::add($text['message-reset_link_sent'], 'positive', 2500);
 								}
 								else {
 									//email failed
 									//message::add($eml_error, 'negative', 5000);
 								}
 						}
-						else {
-							//not found
-							message::add($text['message-reset_link_sent'], 'negative', 5000);
-						}
 
 					}
-					else {
-						//matched multiple users
-						message::add($text['message-reset_link_sent'], 'negative', 5000);
-					}
 
 				}
-				else {
-					//not found
-					message::add($text['message-reset_link_sent'], 'negative', 5000);
-				}
 
+			//always show the email sent message
+			message::add($text['message-reset_link_sent'], 'positive', 2500);
 		}
 		//else {
 		//	//invalid email
@@ -305,8 +294,8 @@
 	echo "	}";
 	echo "</script>";
 
-//send an email with the password reset link
-	if (isset($action) && $action == 'request' && !empty($_SESSION['valid_email'])) {
+//email sent message
+	if (isset($action) && $action == 'request' && isset($_REQUEST['email'])) {
 		echo "<div class='card' style='text-align: center;'>\n";
 		echo "	<h5>".$text['label-email_sent']."</h5>\n";
 		echo "	".$text['description-email_sent']."<br />\n";
@@ -314,7 +303,7 @@
 	}
 
 //request the email address
-	if (empty($_SESSION['valid_email']) && !isset($_SESSION['valid_reset'])) {
+	if (isset($action) && $action == 'request' && !isset($_REQUEST['email'])) {
 
 		//create token
 		$object = new token;