Opened 11 years ago
Closed 11 years ago
#20123 closed Bug (duplicate)
Non-existing email error should not be displayed on password_reset
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.5 |
| Severity: | Normal | Keywords: | security, message, email, password_reset |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Due to security reasons the error message "That email address doesn't have an associated user account. Are you sure you've registered?" should not be displayed on password_reset view as stated in https://docs.djangoproject.com/en/dev/topics/auth/default/.
Template code: http://dpaste.com/hold/1033271/
Urls.py: http://dpaste.com/hold/1033272/
I'm using django 1.5 and python 3.2.3
Attachments (1)
Change History (3)
by , 11 years ago
comment:1 by , 11 years ago
The documentation says "If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm and use the password_reset_form argument."
comment:2 by , 11 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Duplicate of #19758 which was fixed a month ago.
Screenshot of the problem