Opened 12 years ago

Closed 12 years ago

#20123 closed Bug (duplicate)

Non-existing email error should not be displayed on password_reset

Reported by: carlos.olmedo.e@… Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Normal Keywords: security, message, email, password_reset
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Due to security reasons the error message "That email address doesn't have an associated user account. Are you sure you've registered?" should not be displayed on password_reset view as stated in https://docs.djangoproject.com/en/dev/topics/auth/default/.

Template code: http://dpaste.com/hold/1033271/
Urls.py: http://dpaste.com/hold/1033272/

I'm using django 1.5 and python 3.2.3

Attachments (1)

error.png (17.4 KB ) - added by carlos.olmedo.e@… 12 years ago.
Screenshot of the problem

Download all attachments as: .zip

Change History (3)

by carlos.olmedo.e@…, 12 years ago

Attachment: error.png added

Screenshot of the problem

comment:1 by anonymous, 12 years ago

The documentation says "If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm and use the password_reset_form argument."

comment:2 by Aymeric Augustin, 12 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #19758 which was fixed a month ago.

Note: See TracTickets for help on using tickets.
Back to Top