id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
7723	DoS possible with django.contrib.auth.views.password_reset	mafr	Luke Plant	"The password_reset view creates a new password overwriting the existing one. Any user who knows your email address can trigger this process as often as he likes. The effect is that you can't log into your account until you changed your password.

I think the existing password should remain valid even if a reset email has been triggered. The mail should contain a token that can be used to change the password; even if multiple password reset mails are sent, any token should be usable for password reset in a certain time window."		closed	contrib.auth	dev		fixed			Design decision needed	0	0	0	0	0	0