[TYPO3-core] RFC: #10017: [felogin] New Method for "forgotPassword"

Wed Sep 2 21:38:53 CEST 2009

Hey Steffen,
Thanks for the quick reponse :)

>> * When calculating the link prefix, should the final fallback be using 
>> TYPO3_SITE_URL rather than outputting an error message?
> here i disagree. There are 3 possibilities to define the url: 
> absRefprefix, baseURL or feloginBaseURL. If you miss all 3 the error 
> will inform you about. Just blindly use TYPO3_SITE_URL can be wrong and 
> noone notice, but the links won't work.

In my experience, the TYPO3_SITE_URL has been safe to use, but I'll 
defer to your judgement there.  Checking baseURL and absrefprefix should 
cover the majority of sites anyway.

>> * Unsetting notification_email_urlmode doesn't work when page.config 
>> is set rather than the top-level config object. Same holds true for 
>> baseURL, etc.
> 
> good point. I examined and found some bug: absRefPrefix is already used 
> by typolink, so if it's set there is no need to add a prefix.
> For difference between config.baseURL and page.config.baseURL i now use 
> the processed values
> $GLOBALS['TSFE']->absRefPrefix
> $GLOBALS['TSFE']->baseUrl
> which takes both possibilities into account.

I don't think this is working properly yet, or exposed some other 
strange behavior

Anytime page.config.baseURL is used, the password reset link has no 
domain in front of it and instead starts at index.php

With config.baseURL, the link is correct if notification_email_urlmode 
is not set.  If it is set in either config or page.config, the reset 
links have the RDCT parameter in them.

> notification_email_urlmode only works in config, not page.config, that's 
> what i read in code of TSFE

It works both ways in my testing here. In fact, when I use it inside 
page.config, the forgot password link is encoded with a RDCT parameter 
even though we don't want it to be :)

>> Labels
>> ======
>> "Please enter your username or the email address stored in your 
>> account, press "Send password", and your password will immediately be 
>> emailed to you."
>> * The password itself isn't actually emailed so we should probably 
>> update this message.

"Please enter your username or email address. Instructions for reseting 
the password will be immediately emailed to you."

We should also relabel the submitt button to "Reset Password" rather 
than "Send Password".

>> "Dear username
>>
>> to set a new password please visit this link:
>> <link>
>>
>> The link is only valid until 2009-09-01 02:55. If you do not visit the 
>> link before then, you will have to repeat the forgot password procedure."
>> * Maybe we should add a little description before the link that 
>> explains someone is receiving this email because they filled out the 
>> forgot password form. Using the real name rather than username when 
>> available might be a nice touch too.

"Dear (first name / username),

This email was sent in response to your request to reset your password. 
Please click on the link below.

<link>

For security reasons, this link is only active until 2009-09-01 02:55. 
If you do not visit the link before then, you will need to repeat the 
password reset steps."

Thanks,
Jeff