Opened 6 years ago

Closed 5 years ago

#28780 closed New feature (fixed)

Allow customizing PasswordResetConfirmView's INTERNAL_RESET_URL_TOKEN

Reported by: Meiyer Owned by: robinh00d
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Since this parameter appears in the URL of the forgotten password reset request (= part of the public interface of the website), it would be nice if websites could customize the value.

Change History (17)

comment:1 by Tim Graham, 6 years ago

Component: Uncategorizedcontrib.auth
Summary: Ability to customize INTERNAL_RESET_URL_TOKENAllow customizing PasswordResetConfirmView's INTERNAL_RESET_URL_TOKEN
Triage Stage: UnreviewedAccepted

comment:2 by Tim G., 6 years ago

Owner: changed from nobody to Tim G.
Status: newassigned

comment:3 by Tim G., 6 years ago

How this parameter should be customizable? Settings?

comment:4 by Tim Graham, 6 years ago

It could be a class attribute on the view.

comment:5 by Meiyer, 6 years ago

I think the configuration that will allow the easiest customization is a class attribute such as:

class PasswordResetConfirmView(PasswordContextMixin, FormView):
    reset_token_placeholder = INTERNAL_RESET_URL_TOKEN

Then it can be used in urls.py with

url('<pattern>',
    PasswordResetConfirmView.as_view(reset_token_placeholder='wachtwoord-aanduiding'),
    name='password_reset_confirm')

Because of the format limitations on the <token> parameter (two alphanumeric strings separated by a hyphen), it will be useful to add instructions to the documentation so that developers do not accidentally break their password reset functionality.

comment:7 by Claude Paroz, 6 years ago

Has patch: set
Version: 1.11master

comment:8 by Tim Graham, 6 years ago

Needs documentation: set
Needs tests: set

comment:9 by Tim Graham, 5 years ago

Owner: Tim G. removed
Status: assignednew

comment:10 by robinh00d, 5 years ago

Owner: set to robinh00d
Status: newassigned

comment:11 by robinh00d, 5 years ago

PR for this ticket has been submitted:
https://github.com/django/django/pull/11189

comment:12 by robinh00d, 5 years ago

Needs documentation: unset
Needs tests: unset
Triage Stage: AcceptedReady for checkin

comment:13 by Mariusz Felisiak, 5 years ago

Triage Stage: Ready for checkinAccepted
UI/UX: unset

Please do not mark your own PRs as "Ready for checkin" (see triage-workflow).

in reply to:  13 comment:14 by robinh00d, 5 years ago

Replying to felixxm:

Please do not mark your own PRs as "Ready for checkin" (see triage-workflow).

My apologies.

comment:15 by Mariusz Felisiak, 5 years ago

Needs tests: set

comment:16 by robinh00d, 5 years ago

Needs tests: unset

comment:17 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In 58df8aa4:

Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs.

Co-authored-by: Tim Givois <tim.givois.mendez@…>

Note: See TracTickets for help on using tickets.
Back to Top