On 10/8/07, James Bennett <[EMAIL PROTECTED]> wrote: > On 10/8/07, Bill Fenner <[EMAIL PROTECTED]> wrote: > > Which is an excellent way to partially lock someone out of the site, > > by preemptively changing their pasword (and emailing them the new > > one). This operation should really email a challenge URL which, if > > visited, leads to a "set new password" page. > > I don't get it.
His point is that anyone could trigger that email. And, while you're right that only the true user would receive the email, the target user's password will get reset regardless. So, if I didn't like you, I could put in your email address, and even though I can't access your account, I can still lock you out until you receive the email. I don't know if that's a big enough problem to worry about, but that's the point he was saying, I believe. -Gul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
