Opened 22 months ago

Closed 3 months ago

#28780 closed New feature (fixed)

Allow customizing PasswordResetConfirmView's INTERNAL_RESET_URL_TOKEN

Reported by: Meiyer Owned by: robinh00d
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Since this parameter appears in the URL of the forgotten password reset request (= part of the public interface of the website), it would be nice if websites could customize the value.

Change History (17)

comment:1 Changed 22 months ago by Tim Graham

Component: Uncategorizedcontrib.auth
Summary: Ability to customize INTERNAL_RESET_URL_TOKENAllow customizing PasswordResetConfirmView's INTERNAL_RESET_URL_TOKEN
Triage Stage: UnreviewedAccepted

comment:2 Changed 22 months ago by Tim G.

Owner: changed from nobody to Tim G.
Status: newassigned

comment:3 Changed 22 months ago by Tim G.

How this parameter should be customizable? Settings?

comment:4 Changed 22 months ago by Tim Graham

It could be a class attribute on the view.

comment:5 Changed 22 months ago by Meiyer

I think the configuration that will allow the easiest customization is a class attribute such as:

class PasswordResetConfirmView(PasswordContextMixin, FormView):
    reset_token_placeholder = INTERNAL_RESET_URL_TOKEN

Then it can be used in urls.py with

url('<pattern>',
    PasswordResetConfirmView.as_view(reset_token_placeholder='wachtwoord-aanduiding'),
    name='password_reset_confirm')

Because of the format limitations on the <token> parameter (two alphanumeric strings separated by a hyphen), it will be useful to add instructions to the documentation so that developers do not accidentally break their password reset functionality.

comment:7 Changed 21 months ago by Claude Paroz

Has patch: set
Version: 1.11master

comment:8 Changed 20 months ago by Tim Graham

Needs documentation: set
Needs tests: set

comment:9 Changed 5 months ago by Tim Graham

Owner: Tim G. deleted
Status: assignednew

comment:10 Changed 4 months ago by robinh00d

Owner: set to robinh00d
Status: newassigned

comment:11 Changed 4 months ago by robinh00d

PR for this ticket has been submitted:
https://github.com/django/django/pull/11189

comment:12 Changed 4 months ago by robinh00d

Needs documentation: unset
Needs tests: unset
Triage Stage: AcceptedReady for checkin

comment:13 Changed 4 months ago by felixxm

Triage Stage: Ready for checkinAccepted
UI/UX: unset

Please do not mark your own PRs as "Ready for checkin" (see triage-workflow).

comment:14 in reply to:  13 Changed 4 months ago by robinh00d

Replying to felixxm:

Please do not mark your own PRs as "Ready for checkin" (see triage-workflow).

My apologies.

comment:15 Changed 3 months ago by felixxm

Needs tests: set

comment:16 Changed 3 months ago by robinh00d

Needs tests: unset

comment:17 Changed 3 months ago by Mariusz Felisiak <felisiak.mariusz@…>

Resolution: fixed
Status: assignedclosed

In 58df8aa4:

Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs.

Co-authored-by: Tim Givois <tim.givois.mendez@…>

Note: See TracTickets for help on using tickets.
Back to Top