is that by making a request for password, no limit on users, for example, someone might abuse the resources sent by mail or just annoy another user to send unlimited fake password requests, just knowing the user name ...
I have just received this kind of attention from somebody here on the community site. I received 4 fake password reset requests all originating from the same IP address. Not too difficult to track that person down and ban them.
Those requests came from Alexander Kings. If anyone would like to work on adding a limit, we'd definitely accept a patch/pull request.
yes it was me, excuse me Trajan... Cash you're a sentinel xD
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.