Opened 18 years ago
Closed 17 years ago
#4235 closed (fixed)
User emails are not unique in contrib.auth. Password_reset is based on emails.
Reported by: | Owned by: | Adrian Holovaty | |
---|---|---|---|
Component: | Contrib apps | Version: | dev |
Severity: | Keywords: | password auth registration | |
Cc: | Triage Stage: | Design decision needed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In the auth contrib, password_reset works based on email addresses. The model does not ask that emails remain unique however by default. Instead it asks for unique usernames. The password_reset form errors if there are more than one user with the same email. It should probably therefore be based off of username and perhaps optionally display the email address the automatically generated password was emailed to.
Change History (2)
comment:1 by , 18 years ago
Triage Stage: | Unreviewed → Design decision needed |
---|
comment:2 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
You're right, either the reset form or the model should change.
-1 on displaying the email address -- that's giving away confidential information.
Another solution would be changing the way the reset form works so it doesn't reset the password until confirmation is received (protected with some hash). Then the reset email could contain multiple usernames asking the user which password (if any) they would like to reset.
I'll leave as a design decision until the way to solve this is decided.