#23409: PasswordResetForm should not exclude users with unusable passwords ----------------------------------------+------------------------ Reporter: carljm | Owner: nobody Type: New feature | Status: new Component: contrib.auth | Version: 1.7 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ----------------------------------------+------------------------ Currently `django.contrib.auth.PasswordResetForm` will (silently) not send a password reset email to any user who has an unusable password set. Additionally, due to the structure of the code, its not possible to subclass `PasswordResetForm` to change this behavior without copying the entire 40-line `save()` method.
This behavior was introduced in #14674, on the theory that a user with an unusable password probably comes from some external authentication source (e.g. LDAP), and should not be allowed to reset their password and then bypass the external authentication source. That's a reasonable policy for some situations, but there are many other reasons why one might set an unusable password (e.g. when creating a user account for someone else), and it's not at all obvious that "unusable password" should always imply "unable to reset password." If I could go back in time, I would argue that #14674 should never have been committed, but since it was (and there have been several Django releases since), I think the default behavior should probably be left as- is for backwards-compatibility reasons. However, I think it should be easy to subclass `PasswordResetForm` and change this policy. I will submit a pull request that extracts a `def get_users(self, email):` method of `PasswordResetForm`, whose responsibility it is, given an email address, to return the matching users who should receive a password-reset link. -- Ticket URL: <https://code.djangoproject.com/ticket/23409> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/049.c9c1e9bc9c6013051f34694f9c03bf05%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.