Non-member can't reset password

[vranki]

A user with expired membership can try to request password reset via e-mail, but the mail is not sent. This is quite confusing UX.

I suggest if user in this situation tries to reset password, just print "Membership expired, please contact administration" so user won't get confused.

[olmari]

Password reset UI should not reveal anything to one way or another, it is immediate phishing vector if it reveals anything in UI as it is open to public endpoint by nature.

If no email in system at all sending email to mentioned email is also heavily discouraged, as it is abuse vector.. While not consequentially as bad as phishing, still bad practice.

If email exist but status is red, then sending mail could be justified.

Foremostly there should be figured out what has happened, or not happened, for user to find oneself in such situation one doesn't know is he/she even on the system anymore or allowed to login. Better to identify and remedy the rootcause.