Opened 3 years ago

Closed 3 years ago

#20123 closed Bug (duplicate)

Non-existing email error should not be displayed on password_reset

Reported by: carlos.olmedo.e@… Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Normal Keywords: security, message, email, password_reset
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Due to security reasons the error message "That email address doesn't have an associated user account. Are you sure you've registered?" should not be displayed on password_reset view as stated in

Template code:

I'm using django 1.5 and python 3.2.3

Attachments (1)

error.png (17.4 KB) - added by carlos.olmedo.e@… 3 years ago.
Screenshot of the problem

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by carlos.olmedo.e@…

Screenshot of the problem

comment:1 Changed 3 years ago by anonymous

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The documentation says "If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm and use the password_reset_form argument."

comment:2 Changed 3 years ago by aaugustin

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #19758 which was fixed a month ago.

Note: See TracTickets for help on using tickets.
Back to Top