id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 31139 PasswordResetView return success message for emails not in database also SANYAM MITTAL sanyam19092000 "PasswordResetView returns a success message for emails not in database also. ** Problems Faced** 1. If the user is not Registered but strongly thinks they are registered and have forgotten the password they would keep trying to get Reset email. 2. If they've typed a wrong email in PasswordResetForm. They would be expecting a reset email with reset URL but wouldn't receive any mail nor any Validation Error would be raised. **Reference:** [https://github.com/django/django/blob/0f843fdd5b9b2f2307148465cd60f4e1b2befbb4/django/contrib/auth/views.py#L208] **Current PasswordResetForm being used:** [https://github.com/django/django/blob/0f843fdd5b9b2f2307148465cd60f4e1b2befbb4/django/contrib/auth/forms.py#L250] Here while saving the form by - [https://github.com/django/django/blob/0f843fdd5b9b2f2307148465cd60f4e1b2befbb4/django/contrib/auth/forms.py#L292] {{{ for user in self.get_users(email): user_email = getattr(user, email_field_name) context = { 'email': user_email, 'domain': domain, 'site_name': site_name, 'uid': urlsafe_base64_encode(force_bytes(user.pk)), 'user': user, 'token': token_generator.make_token(user), 'protocol': 'https' if use_https else 'http', **(extra_email_context or {}), } self.send_mail( subject_template_name, email_template_name, context, from_email, user_email, html_email_template_name=html_email_template_name, ) }}} It just mails the User (if existing) but doesn't raises an Validation Error if User is not found. Rather it redirects to Success URL. If we raise a Validation Error when User query set is empty. We can use def clean_email method Or can add if else statement before iterating in Available Active Users" Cleanup/optimization closed contrib.auth dev Normal wontfix Unreviewed 0 0 0 0 0 0