Opened 12 years ago

Closed 11 years ago

#4235 closed (fixed)

User emails are not unique in contrib.auth. Password_reset is based on emails.

Reported by: Oscar <ochen@…> Owned by: Adrian Holovaty
Component: Contrib apps Version: master
Severity: Keywords: password auth registration
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


In the auth contrib, password_reset works based on email addresses. The model does not ask that emails remain unique however by default. Instead it asks for unique usernames. The password_reset form errors if there are more than one user with the same email. It should probably therefore be based off of username and perhaps optionally display the email address the automatically generated password was emailed to.

Change History (2)

comment:1 Changed 12 years ago by Chris Beaven

Triage Stage: UnreviewedDesign decision needed

You're right, either the reset form or the model should change.

-1 on displaying the email address -- that's giving away confidential information.

Another solution would be changing the way the reset form works so it doesn't reset the password until confirmation is received (protected with some hash). Then the reset email could contain multiple usernames asking the user which password (if any) they would like to reset.

I'll leave as a design decision until the way to solve this is decided.

comment:2 Changed 11 years ago by James Bennett

Resolution: fixed
Status: newclosed

Closing fixed since [5493] changed the behavior when more than one user has the same email address -- all users at that address are reset. A complaint about that is in #5272.

Note: See TracTickets for help on using tickets.
Back to Top