This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
FS#2688 "send password" feature exposes system
ACL & Authentication
Currently anyone can request a resend of a password. This feature should be limited to a human to whom the account belongs. The account owner's mailbox can be flooded (limited DoS), the corresponding mail provider's spam protection can be triggered.
Add captcha to ensure "human origin".
Add dialogue with challenge that is only known by the account owner (i.e. email address).
I recommend to orient procedures on those of the big player (google, facebook, amazon, ...).