#21660: Password reset form return a successful answer when the email doesn't exist in the database -------------------------------+-------------------- Reporter: anonymous | Owner: nobody Type: Uncategorized | Status: new Component: contrib.auth | Version: 1.6 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+-------------------- Hello,
The django.contrib password_reset view doesn't come with any machnism to handle the situation where the email doesn't exist in the database, it just send to a page telling that an email has been sent to the address. For reference, password_reset https://github.com/django/django/blob/master/django/contrib/auth/views.py#L133-173 the email sending is done in the save of the form line 162. The query to grab the user (or list of user) in the form is here https://github.com/django/django/blob/master/django/contrib/auth/forms.py#L240-243 Also, the behavior to get the user(s) is strange, it can result of sending several time the same email to the same mail address, I really don't get the loop part, is it because of the test on user.has_usable_password()? If yes, then why there isn't a break at the end of the loop to prevent multiple sent emails. Or is it because of the case insensitive query? Kinds regards, -- Ticket URL: <https://code.djangoproject.com/ticket/21660> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/052.91523725a23e797b96163e0b5871f5ec%40djangoproject.com. For more options, visit https://groups.google.com/groups/opt_out.