Re: password reset for all cached users?
On Wed, 25 Jul 2007 18:39:03 -0500, James Bennett wrote: > On 7/25/07, Patrick Anderson <[EMAIL PROTECTED]> wrote: >> Anyway, why not reset password for a logged-in user only? Maybe I've >> look at the code too briefly, and there might be a reason for iterating >> through users_cache, but that approach sounds safer to me. > > Since the form accepts an email address as input, it could run into > problems if multiple users share a single email address -- if it just > looked up a single user with get(), for example, it'd end up throwing an > AssertionError. An alternate approach of instead asking for the username > might work, but is probably undesirable from a usability perspective > because people are far more likely to remember their email addresses > than their usernames ;) I see. Yes, that is possible. I guess this issue has many variables. In the worst case scenario, the other user(s) will get an email with a reset password and a link to change it :) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: password reset for all cached users?
On 7/25/07, Patrick Anderson <[EMAIL PROTECTED]> wrote: > Anyway, why not reset password for a logged-in user only? Maybe I've look > at the code too briefly, and there might be a reason for iterating > through users_cache, but that approach sounds safer to me. Since the form accepts an email address as input, it could run into problems if multiple users share a single email address -- if it just looked up a single user with get(), for example, it'd end up throwing an AssertionError. An alternate approach of instead asking for the username might work, but is probably undesirable from a usability perspective because people are far more likely to remember their email addresses than their usernames ;) -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: password reset for all cached users?
On Wed, 25 Jul 2007 22:47:05 +, Patrick Anderson wrote: > Today when trying to add 'reset password' feature into my project, I > noticed that the PasswordResetForm() 'save' method resets passwords for > all cached users. > > I have been testing the site with various users logged in, and when I > tried to reset my password from within my public site, I received 10 > messages with passwords reset for all users that were in users_cache. > > This might cause problems for people who are using the site from a > shared computer, and I wonder what the reasons for this approach were. > > > This might cause problems if they share the same computer and the same email address, which is rare, but not unconceivable :) Anyway, why not reset password for a logged-in user only? Maybe I've look at the code too briefly, and there might be a reason for iterating through users_cache, but that approach sounds safer to me. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
password reset for all cached users?
Today when trying to add 'reset password' feature into my project, I noticed that the PasswordResetForm() 'save' method resets passwords for all cached users. I have been testing the site with various users logged in, and when I tried to reset my password from within my public site, I received 10 messages with passwords reset for all users that were in users_cache. This might cause problems for people who are using the site from a shared computer, and I wonder what the reasons for this approach were. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
