Enumeration attack from the Password Reset form

[jonathan-s]

Describe the bug
This isn't a very serious security issue, however the best practice when it comes to password reset forms is that you don't give the user a reason to know whether an email exist in the database or not. Right not the user receives a validation error that says that the email doesn't exist.

Expected behavior
Instead the user should get the message If the email exists it will be sent to your email address.

[blag]

This is also true through the settings form, where an existing user could attempt to change their email address to email addresses that are already registered.

I don't see a way to enable this feature without giving the user some ability to enumerate registered emails, so it would be nice if there was a configuration option to disable the feature altogether.