[Django] #23409: PasswordResetForm should not exclude users with unusable passwords

Wed, 03 Sep 2014 10:26:33 -0700 

#23409: PasswordResetForm should not exclude users with unusable passwords
----------------------------------------+------------------------
               Reporter:  carljm        |          Owner:  nobody
                   Type:  New feature   |         Status:  new
              Component:  contrib.auth  |        Version:  1.7
               Severity:  Normal        |       Keywords:
           Triage Stage:  Unreviewed    |      Has patch:  0
    Needs documentation:  0             |    Needs tests:  0
Patch needs improvement:  0             |  Easy pickings:  0
                  UI/UX:  0             |
----------------------------------------+------------------------
 Currently `django.contrib.auth.PasswordResetForm` will (silently) not send
 a password reset email to any user who has an unusable password set.
 Additionally, due to the structure of the code, its not possible to
 subclass `PasswordResetForm` to change this behavior without copying the
 entire 40-line `save()` method.

 This behavior was introduced in #14674, on the theory that a user with an
 unusable password probably comes from some external authentication source
 (e.g. LDAP), and should not be allowed to reset their password and then
 bypass the external authentication source.

 That's a reasonable policy for some situations, but there are many other
 reasons why one might set an unusable password (e.g. when creating a user
 account for someone else), and it's not at all obvious that "unusable
 password" should always imply "unable to reset password."

 If I could go back in time, I would argue that #14674 should never have
 been committed, but since it was (and there have been several Django
 releases since), I think the default behavior should probably be left as-
 is for backwards-compatibility reasons.

 However, I think it should be easy to subclass `PasswordResetForm` and
 change this policy. I will submit a pull request that extracts a `def
 get_users(self, email):` method of `PasswordResetForm`, whose
 responsibility it is, given an email address, to return the matching users
 who should receive a password-reset link.

--
Ticket URL: <https://code.djangoproject.com/ticket/23409>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/049.c9c1e9bc9c6013051f34694f9c03bf05%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to