security: fixed returning info on weither user exists or not in password reset call, fixes #7619

pkg/api/password.go

@@ -12,7 +12,8 @@ func SendResetPasswordEmail(c *middleware.Context, form dtos.SendResetPasswordEm
 	userQuery := m.GetUserByLoginQuery{LoginOrEmail: form.UserOrEmail}
 
 	if err := bus.Dispatch(&userQuery); err != nil {
-		return ApiError(404, "User does not exist", err)
+		c.Logger.Info("Requested password reset for user that was not found", "user", userQuery.LoginOrEmail)
+		return ApiError(200, "Email sent", err)
 	}
 
 	emailCmd := m.SendResetPasswordEmailCommand{User: userQuery.Result}

public/app/partials/reset_password.html

@@ -21,15 +21,22 @@
 				</div>
 
 				<div class="gf-form-button-row">
+					<br />
+					<br />
 					<button type="submit" class="btn btn-large" ng-click="sendResetEmail();" ng-class="{'btn-inverse': !sendResetForm.$valid, 'btn-primary': sendResetForm.$valid}">
-						Send reset instructions
+						Reset Password
 					</button>
 				</div>
 			</form>
 
-			<h5 style="text-align: center; padding: 20px;" ng-if="mode === 'email-sent'">
-				An email with a reset link as been sent to the email address, you should receive it shortly.
-			</h5>
+
+			<div style="text-align: center; padding: 20px;" ng-if="mode === 'email-sent'">
+				An email with a reset link as been sent to the email address. <br>
+				You should receive it shortly.
+			</div>
+
+			<br />
+			<br />
 
 			<form name="resetForm" class="login-form gf-form-group" ng-show="mode === 'reset'">
 				<div class="gf-form">