From f7373ee5fc2e99c0445ab3259b629085748f1283 Mon Sep 17 00:00:00 2001
From: Rebecca Law <rebecca.law@digital.cabinet-office.gov.uk>
Date: Fri, 8 Jan 2016 16:47:34 +0000
Subject: [PATCH] Fix wording Changed forgot-password so that it does not
 expose to the user that the email address does not exist.

---
 app/main/forms.py                            |  8 --------
 app/main/views/forgot_password.py            | 11 +++++++----
 app/main/views/new_password.py               |  2 +-
 app/templates/views/password-reset-sent.html |  2 +-
 tests/app/main/views/test_forgot_password.py | 14 +++++---------
 5 files changed, 14 insertions(+), 23 deletions(-)

diff --git a/app/main/forms.py b/app/main/forms.py
index 816817778..e06595ba4 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -124,14 +124,6 @@ class AddServiceForm(Form):
 class ForgotPasswordForm(Form):
     email_address = email_address()
 
-    def __init__(self, q, *args, **kwargs):
-        self.query_function = q
-        super(ForgotPasswordForm, self).__init__(*args, **kwargs)
-
-    def validate_email_address(self, a):
-        if not self.query_function(a.data):
-            raise ValidationError('The email address is not recognised. Enter the email address you registered with.')
-
 
 class NewPasswordForm(Form):
     new_password = password()
diff --git a/app/main/views/forgot_password.py b/app/main/views/forgot_password.py
index eae320df1..a47285983 100644
--- a/app/main/views/forgot_password.py
+++ b/app/main/views/forgot_password.py
@@ -1,4 +1,4 @@
-from flask import render_template, flash
+from flask import render_template, flash, current_app
 from app.main import main
 from app.main.dao import users_dao
 from app.main.forms import ForgotPasswordForm
@@ -7,9 +7,12 @@ from app.main.views import send_change_password_email
 
 @main.route('/forgot-password', methods=['GET', 'POST'])
 def forgot_password():
-    form = ForgotPasswordForm(users_dao.get_user_by_email)
+    form = ForgotPasswordForm()
     if form.validate_on_submit():
-        send_change_password_email(form.email_address.data)
-        return render_template('views/password-reset-sent.html')
+        if users_dao.get_user_by_email(form.email_address.data):
+            send_change_password_email(form.email_address.data)
+            return render_template('views/password-reset-sent.html')
+        else:
+            current_app.logger.info('The email address used does not exist.')
     else:
         return render_template('views/forgot-password.html', form=form)
diff --git a/app/main/views/new_password.py b/app/main/views/new_password.py
index 9e0af8355..984c0535c 100644
--- a/app/main/views/new_password.py
+++ b/app/main/views/new_password.py
@@ -10,7 +10,7 @@ from app.main.views import send_sms_code, check_token
 def new_password(token):
     email_address = check_token(token)
     if not email_address:
-        flash('The token we sent you has expired. Enter your email address to try again.')
+        flash('The link in the email we sent you has expired. Enter your email address to resend.')
         return redirect(url_for('.forgot_password'))
 
     user = users_dao.get_user_by_email(email_address=email_address.decode('utf-8'))
diff --git a/app/templates/views/password-reset-sent.html b/app/templates/views/password-reset-sent.html
index 42c5e0954..6d12e559c 100644
--- a/app/templates/views/password-reset-sent.html
+++ b/app/templates/views/password-reset-sent.html
@@ -10,7 +10,7 @@ GOV.UK Notify |
 	<div class="column-two-thirds">
 		<h1 class="heading-xlarge">GOV.UK Notify</h1>
 
-		<p>You have been sent an email containing a url to reset your password.</p>
+		<p>You have been sent an email containing a link to reset your password.</p>
 
 	</div>
 </div>
diff --git a/tests/app/main/views/test_forgot_password.py b/tests/app/main/views/test_forgot_password.py
index 688960791..fc1ae2d5e 100644
--- a/tests/app/main/views/test_forgot_password.py
+++ b/tests/app/main/views/test_forgot_password.py
@@ -15,13 +15,13 @@ def test_should_redirect_to_password_reset_sent(notifications_admin,
                                                 notifications_admin_db,
                                                 mocker,
                                                 notify_db_session):
-    _set_up_mocker(mocker)
-    create_test_user('active')
+    mocker.patch("app.admin_api_client.send_email")
+    user = create_test_user('active')
     response = notifications_admin.test_client().post('/forgot-password',
-                                                      data={'email_address': 'test@user.gov.uk'})
-
+                                                      data={'email_address': user.email_address})
     assert response.status_code == 200
-    assert 'You have been sent an email containing a url to reset your password.' in response.get_data(as_text=True)
+    assert 'You have been sent an email containing a link to reset your password.' in response.get_data(
+        as_text=True)
 
 
 def test_should_redirect_to_forgot_password_with_flash_message_when_token_is_expired(notifications_admin,
@@ -37,7 +37,3 @@ def test_should_redirect_to_forgot_password_with_flash_message_when_token_is_exp
         assert response.status_code == 302
         assert response.location == url_for('.forgot_password', _external=True)
         notifications_admin.config['TOKEN_MAX_AGE_SECONDS'] = 86400
-
-
-def _set_up_mocker(mocker):
-    mocker.patch("app.admin_api_client.send_email")