> It looks like these issues are direct result of the fact it is > possible to create multiple password resets keys for the same e-mail > address. Though I think we should additionally add the reset=False on > save to allow the database to serve as record of password resets.
Technically it's because there are multiple identical reset keys, caused by hashing the same data. The fact that multiple emails are sent out doesn't seem like such a problem. But the fact that they're supposed to contain different keys, yet in fact contain the same ones, is problematic. Also, is there any reason why it keeps the old resets around and just sets reset=True? Of what use is this information? Auditing? And what should happen if there are two valid password reset keys out there and you use one? I think the other one should be deleted, at least. I mean, that's a nasty security hole to leave open if you don't. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Pinax Core Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/pinax-core-dev?hl=en -~----------~----~----~----~------~----~------~--~---
