Opened 17 years ago
Closed 15 years ago
#5272 closed (fixed)
Password reset form resets passwords for all users sharing an email address
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Contrib apps | Version: | dev |
| Severity: | Keywords: | password reset form | |
| Cc: | yatiohi@… | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In /contrib/auth/forms.py (line 89) it loops through the users found. So if I have 2 or more accounts with the same e-mail address (because the emailfield in Users model is not unique) it would change every accounts password in this case which is not very nice..
The code is like this: (SVN commit: 6001)
class PasswordResetForm(oldforms.Manipulator):
"A form that lets a user request a password reset"
def init(self):
self.fields = (
oldforms.EmailField(field_name="email", length=40, is_required=True,
validator_list=[self.isValidUserEmail]),
)
def isValidUserEmail(self, new_data, all_data):
"Validates that a user exists with the given e-mail address"
self.users_cache = list(User.objects.filter(emailiexact=new_data))
if len(self.users_cache) == 0:
raise validators.ValidationError, _("That e-mail address doesn't have an associated user account. Are you sure you've registered?")
def save(self, domain_override=None, email_template_name='registration/password_reset_email.html'):
"Calculates a new password randomly and sends it to the user"
from django.core.mail import send_mail
for user in self.users_cache:
new_pass = User.objects.make_random_password()
user.set_password(new_pass)
user.save()
if not domain_override:
current_site = Site.objects.get_current()
site_name = current_site.name
domain = current_site.domain
else:
site_name = domain = domain_override
t = loader.get_template(email_template_name)
c = {
'new_password': new_pass,
'email': user.email,
'domain': domain,
'site_name': site_name,
'user': user,
}
send_mail('Password reset on %s' % site_name, t.render(Context(c)), None, [user.email])
Change History (10)
comment:1 by , 17 years ago
comment:2 by , 17 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:3 by , 17 years ago
| Resolution: | duplicate |
|---|---|
| Status: | closed → reopened |
Never mind, wrong issue.
comment:4 by , 17 years ago
| Summary: | PasswordResetForm Issue → Password reset form resets passwords for all users sharing an email address |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
I agree, the current solution is rather poor.
More than just that, I would much prefer a system which emailed the user a list of their usernames, with links (containing a secret key) to reset the related passwords, rather than just blatantly resetting passwords without any confirmation.
I'll accept, but it's up to someone to come up with a good solution (against newforms-admin).
comment:5 by , 17 years ago
Why not just changing user model email to unique? Benefits:
- just revert 'Password reset loop set new password' changeset to keep it simple, although other people could give more friendly solution
- user could signin with email.
comment:6 by , 17 years ago
What if a user wanted separate accounts(one for admin work and one for normal work, for example)? Would they have to register with separate e-mail addresses?
comment:7 by , 17 years ago
| Cc: | added |
|---|
comment:9 by , 15 years ago
Given the stance in #7591 that email will not be enforced to be unique by default, this bug needs addressing.
comment:10 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
I don't understand why this needs to be fixed, now that #7723 has been fixed. No passwords are reset until the link in the e-mail is clicked. If there is a complaint about the usability of the current system (e.g. the number of e-mails sent out etc, I can't remember exactly how it works), please file another bug.
Thanks!
Duplicate of #4235.