On Oct 9, 12:15 am, "Marty Alchin" <[EMAIL PROTECTED]> wrote: > On 10/8/07, James Bennett <[EMAIL PROTECTED]> wrote: > > > On 10/8/07, Bill Fenner <[EMAIL PROTECTED]> wrote: > > > Which is an excellent way to partially lock someone out of the site, > > > by preemptively changing their pasword (and emailing them the new > > > one). This operation should really email a challenge URL which, if > > > visited, leads to a "set new password" page. > > > I don't get it. > > His point is that anyone could trigger that email. And, while you're > right that only the true user would receive the email, the target > user's password will get reset regardless. So, if I didn't like you, I > could put in your email address, and even though I can't access your > account, I can still lock you out until you receive the email. > > I don't know if that's a big enough problem to worry about, but that's > the point he was saying, I believe. > > -Gul
So other users can reset someone's password. That is a problem don't you think so... How am I going to work aroudn this problem? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---