http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8753 --- Comment #57 from M. de Rooy <m.de.rooy@rijksmuseum.nl> --- Interesting! Just some thoughts: The SQL code in the opac-recovery script will not make it pass QA. Please move it to module level (in DBIx?). Can you unit test SendPasswordRecoveryEmail? I would not mind a mail with a library password; other info is more sensitive. If you can read/intercept the password from the mail, you can also read the unique userid for the reset password form. Same result: a hacked account. This approach is fine with me, feels more safe but is not per se safer imo. Thinking out loud: if you do not include sensitive keywords as "password" in your mail (so rename your script?), would that be little more safe? Would not attract attention? -- You are receiving this mail because: You are watching all bug changes.