User emails are not unique in contrib.auth. Password_reset is based on emails.
|Reported by:||Oscar <ochen@…>||Owned by:||adrian|
|Severity:||Keywords:||password auth registration|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In the auth contrib, password_reset works based on email addresses. The model does not ask that emails remain unique however by default. Instead it asks for unique usernames. The password_reset form errors if there are more than one user with the same email. It should probably therefore be based off of username and perhaps optionally display the email address the automatically generated password was emailed to.