#21660: Password reset form return a successful answer when the email doesn't
exist
in the database
-------------------------------+--------------------
Reporter: anonymous | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: 1.6
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Hello,
The django.contrib password_reset view doesn't come with any machnism to
handle the situation where the email doesn't exist in the database, it
just send to a page telling that an email has been sent to the address.
For reference, password_reset
https://github.com/django/django/blob/master/django/contrib/auth/views.py#L133-173
the email sending is done in the save of the form line 162. The query to
grab the user (or list of user) in the form is here
https://github.com/django/django/blob/master/django/contrib/auth/forms.py#L240-243
Also, the behavior to get the user(s) is strange, it can result of sending
several time the same email to the same mail address, I really don't get
the loop part, is it because of the test on user.has_usable_password()? If
yes, then why there isn't a break at the end of the loop to prevent
multiple sent emails. Or is it because of the case insensitive query?
Kinds regards,
--
Ticket URL: <https://code.djangoproject.com/ticket/21660>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/052.91523725a23e797b96163e0b5871f5ec%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
