PasswordResetView returns a success message for emails not in database also.
Problems Faced 1. If the user is not Registered but strongly thinks they are registered and have forgotten the password they would keep trying to get Reset email. 2. If they've typed a wrong email in PasswordResetForm. They would be expecting a reset email with reset URL but wouldn't receive any mail nor any Validation Error would be raised that wastes a lot of time of the User Reference: https://github.com/django/django/blob/0f843fdd5b9b2f2307148465cd60f4e1b2befbb4/django/contrib/auth/views.py#L208 As mentioned in documentationhttps://docs.djangoproject.com/en/stable/topics/auth/default/#django.contrib.auth.views.PasswordResetView This prevents information leaking to potential attackers Although a potential attacker can easily get these information from Sign-Up/Register page as Validation error is raised when a Duplicate Email Address is entered during sign-up. If there's not a Unique email Validation during Sign-up there are chances that multiple users get registered with same email (if user mistakenly types someone else's email) and Password Reset email is sent multiple times for different Users which is more risky. Facebook, Netflix and many more also raises a Validation Error when non registered email is entered Thanks for your time. Sorry I don’t know the real necessity of not validating the email but this really causes confusion and wastes the User’s precious time. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5e164f97.1c69fb81.aec39.cb9b%40mx.google.com.
