fix password hint check (#5189)

* fix password hint check don't show password hints if you have disabled the hints with PASSWORD_HINTS_ALLOWED=false or if you have not configured mail and opted into showing password hints * update descriptions for pw hints options
2025-07-04 19:44:58 +00:00 · 2024-11-12 21:22:25 +01:00 · 2024-11-12 21:22:25 +01:00 · adb21d5c1a
commit adb21d5c1a
parent e927b8aa5e
3 changed files with 9 additions and 8 deletions
--- a/src/config.rs
+++ b/src/config.rs
@ -497,11 +497,11 @@ make_config! {
        /// Password iterations |> Number of server-side passwords hashing iterations for the password hash.
        /// The default for new users. If changed, it will be updated during login for existing users.
        password_iterations:    i32,    true,   def,    600_000;
-        /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
+        /// Allow password hints |> Controls whether users can set or show password hints. This setting applies globally to all users.
        password_hints_allowed: bool,   true,   def,    true;
-        /// Show password hint |> Controls whether a password hint should be shown directly in the web page
-        /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
-        /// provides unauthenticated access to potentially sensitive data.
+        /// Show password hint (Know the risks!) |> Controls whether a password hint should be shown directly in the web page
+        /// if SMTP service is not configured and password hints are allowed. Not recommended for publicly-accessible instances
+        /// because this provides unauthenticated access to potentially sensitive data.
        show_password_hint:     bool,   true,   def,    false;

        /// Admin token/Argon2 PHC |> The plain text token or Argon2 PHC string used to authenticate in this very same page. Changing it here will not deauthorize the current session!