Secure Zone Login Error Message / Password Reset

Is there any way to determine if the login information is incorrect vs. not assigned to a secure zone?

Using the front-end login form. If the login fails, it goes to the 403 error page. However, there is nothing in the liquid request to customize the page to indicate if it was an input error or if they were not assigned to a secure zone.

Here is what I am looking for.

  • Login > Failure > Incorrect Password > Message Sample “Incorrect login credentials provided. Please try again or click reset password.”
  • Login > Failure > Email Not assigned to a secure zone or email not found. > Message Sample “No account found for that email address.”

Ability to customize both messages and add additional content like links to the next step.

Maybe something to add to the Backlog.

To add to this as they correspond with each other. The system page request-reset-password will allow and send a password reset link to an email address regardless of whether it is assigned to a secure zone. This should not work if the email address isn’t assigned to a secure zone. It will also accept any email address. If the email address is not in the CRM I think the request-reset-password-result should reply with a message that it is not found.

Perhaps some of these things are security features so that bad actors cannot ascertain email addresses to further target.

However, you could trigger an AJAX request after the user has entered their email address which passes the email address to a page where you look up the CRM for a match - and even check the secure zones they may be subscribed to.

I’ve implemented something similar before, so I’ll try to find the code and adapt it for a Treehouse Code snippet and post a link back here…

@Rhatch I’ve just added a Treehouse code snippet which may help here, or at least give some inspiration to a workaround:

Hope it helps.

1 Like

Thanks @Adam.Wilson, I think this is super usefull code! I remember one thing worth mentioning: The property in the Admin under Settings > Misc > GDPR had a unexpected behavior last time I tried it. If your CRM data has records with AND without “Allow listing my contact data in the CMS” set to true, it will kind of “switch” settings to the opposite. Meaning all records which had it set to true will be false and not accessible on the front end and vice versa. I might need to check this again, not sure if this was a bug or intended.


Thanks @TimL
I’ve done a quick test of the issue you mentioned and it seems to be fine now.
I can list contacts on the front-end with both “Allow listing my contact data in the CMS” check and unchecked when the global GDPR option is checked.
And when the global GDPR option is unchecked only the contacts with “Allow listing my contact data in the CMS” checked are displayed.

1 Like