id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
8404	Auth password reset tests are too restrictive about template requirements	Malcolm Tredinnick	nobody	"The tests in `django.contrib.auth.tests.views.PasswordResetTest` check for a correct ""failure to submit"" with an invalid email address by looking for a particular error message string. The problem is that this string actually reveals that a particular email address isn't on the system. So if somebody writes a password reset template for their own sites that doesn't reveal the presence or absence of a user (an ITS requirement in some organisations, e.g. financial sites), there is no way to have that test pass.

So we need to come up with a better way to test for ""success"" (i.e. failure to submit the form) when the email address doesn't exist in the system. Possibly just easing back and checking for the existence of form.errors in the template rendering will be enough (or the existence of that error message in the context used for rendering), rather than checking the actual string output so carefully is enough. But maybe somebody has another idea."	Bug	closed	contrib.auth	dev	Normal	fixed		siddhartag@…	Accepted	0	0	0	0	0	0