Opened 11 years ago

Closed 9 years ago

#5272 closed (fixed)

Password reset form resets passwords for all users sharing an email address

Reported by: Alper KANAT <alperkanat@…> Owned by: nobody
Component: Contrib apps Version: master
Severity: Keywords: password reset form
Cc: yatiohi@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


In /contrib/auth/ (line 89) it loops through the users found. So if I have 2 or more accounts with the same e-mail address (because the emailfield in Users model is not unique) it would change every accounts password in this case which is not very nice..

The code is like this: (SVN commit: 6001)

class PasswordResetForm(oldforms.Manipulator):

"A form that lets a user request a password reset"
def init(self):

self.fields = (

oldforms.EmailField(field_name="email", length=40, is_required=True,



def isValidUserEmail(self, new_data, all_data):

"Validates that a user exists with the given e-mail address"
self.users_cache = list(User.objects.filter(emailiexact=new_data))
if len(self.users_cache) == 0:

raise validators.ValidationError, _("That e-mail address doesn't have an associated user account. Are you sure you've registered?")

def save(self, domain_override=None, email_template_name='registration/password_reset_email.html'):

"Calculates a new password randomly and sends it to the user"
from django.core.mail import send_mail
for user in self.users_cache:

new_pass = User.objects.make_random_password()
if not domain_override:

current_site = Site.objects.get_current()
site_name =
domain = current_site.domain


site_name = domain = domain_override

t = loader.get_template(email_template_name)
c = {

'new_password': new_pass,
'domain': domain,
'site_name': site_name,
'user': user,

send_mail('Password reset on %s' % site_name, t.render(Context(c)), None, [])

Change History (10)

comment:1 Changed 11 years ago by Alper KANAT <alperkanat@…>

comment:2 Changed 11 years ago by James Bennett

Resolution: duplicate
Status: newclosed

Duplicate of #4235.

comment:3 Changed 11 years ago by James Bennett

Resolution: duplicate
Status: closedreopened

Never mind, wrong issue.

comment:4 Changed 11 years ago by Chris Beaven

Summary: PasswordResetForm IssuePassword reset form resets passwords for all users sharing an email address
Triage Stage: UnreviewedAccepted

I agree, the current solution is rather poor.

More than just that, I would much prefer a system which emailed the user a list of their usernames, with links (containing a secret key) to reset the related passwords, rather than just blatantly resetting passwords without any confirmation.

I'll accept, but it's up to someone to come up with a good solution (against newforms-admin).

comment:5 Changed 11 years ago by favo <favo@…>

Why not just changing user model email to unique? Benefits:

  • just revert 'Password reset loop set new password' changeset to keep it simple, although other people could give more friendly solution
  • user could signin with email.

comment:6 Changed 11 years ago by anonymous

What if a user wanted separate accounts(one for admin work and one for normal work, for example)? Would they have to register with separate e-mail addresses?

comment:7 Changed 11 years ago by anonymous

Cc: yatiohi@… added

comment:8 Changed 9 years ago by patriciomolina@…

We're facing this problem right now. Any thoughts?

comment:9 Changed 9 years ago by gmorehoudh

Given the stance in #7591 that email will not be enforced to be unique by default, this bug needs addressing.

comment:10 Changed 9 years ago by Luke Plant

Resolution: fixed
Status: reopenedclosed

I don't understand why this needs to be fixed, now that #7723 has been fixed. No passwords are reset until the link in the e-mail is clicked. If there is a complaint about the usability of the current system (e.g. the number of e-mails sent out etc, I can't remember exactly how it works), please file another bug.


Note: See TracTickets for help on using tickets.
Back to Top