poss bug in the create security pages wizard

Scenario - registration pages created using default settings in DataBridge's (v1.22) wizard.
Selecting SH1 for password encryption.

If when requesting a password reset in forgotpassword.php, the email is sent to the requester.
The requestor clicks on link in email which opens the password reset page.

If the user enters a different email address, such as one that already exists in the DB (not theirs) , on submitting to reset password, the typed email address overwrites the email address in the record being edited in the DB.

Firstly, do you concur?

Can you update the wizard to prevent a different email address from being entered by the requester during the password reset process - whether malicious or not?

Thanks, Paul.

Please attach the page in question to a reply and I'll take a look.

Thanks Ray.
.txt attached.

It appears that is an issue... thanks for bringing it to our attention.

The solutions are to either;
1) Don't update the email field value by editing the Update Record server behavior and removing the email
2) Adding unique column value validation to the email field so that the same email can't be entered if it is already used. The unique id of the users table will be accessible from: <?php echo($_GET['fp_id']); ?>, so you could use that in the unique column validation setting.

We will have to update the wizard to correct for this problem. I'm leaning toward removing the email field entirely in the update process since really this is for updating your password and not your email in the first place.

I share your preference around the email address. I'll remove from the update server behaviour in my instance.