Password reset form return a successful answer when the email doesn't exist in the database
|Reported by:||anonymous||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The django.contrib password_reset view doesn't come with any machnism to handle the situation where the email doesn't exist in the database, it just send to a page telling that an email has been sent to the address.
For reference, password_reset https://github.com/django/django/blob/master/django/contrib/auth/views.py#L133-173 the email sending is done in the save of the form line 162. The query to grab the user (or list of user) in the form is here https://github.com/django/django/blob/master/django/contrib/auth/forms.py#L240-243
Also, the behavior to get the user(s) is strange, it can result of sending several time the same email to the same mail address, I really don't get the loop part, is it because of the test on user.has_usable_password()? If yes, then why there isn't a break at the end of the loop to prevent multiple sent emails. Or is it because of the case insensitive query?