Opened 7 years ago

Closed 7 years ago

#4235 closed (fixed)

User emails are not unique in contrib.auth. Password_reset is based on emails.

Reported by: Oscar <ochen@…> Owned by: adrian
Component: Contrib apps Version: master
Severity: Keywords: password auth registration
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


In the auth contrib, password_reset works based on email addresses. The model does not ask that emails remain unique however by default. Instead it asks for unique usernames. The password_reset form errors if there are more than one user with the same email. It should probably therefore be based off of username and perhaps optionally display the email address the automatically generated password was emailed to.

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by SmileyChris

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

You're right, either the reset form or the model should change.

-1 on displaying the email address -- that's giving away confidential information.

Another solution would be changing the way the reset form works so it doesn't reset the password until confirmation is received (protected with some hash). Then the reset email could contain multiple usernames asking the user which password (if any) they would like to reset.

I'll leave as a design decision until the way to solve this is decided.

comment:2 Changed 7 years ago by ubernostrum

  • Resolution set to fixed
  • Status changed from new to closed

Closing fixed since [5493] changed the behavior when more than one user has the same email address -- all users at that address are reset. A complaint about that is in #5272.

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.