Opened 8 years ago

Closed 5 years ago

#5272 closed (fixed)

Password reset form resets passwords for all users sharing an email address

Reported by: Alper KANAT <alperkanat@…> Owned by: nobody
Component: Contrib apps Version: master
Severity: Keywords: password reset form
Cc: yatiohi@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In /contrib/auth/forms.py (line 89) it loops through the users found. So if I have 2 or more accounts with the same e-mail address (because the emailfield in Users model is not unique) it would change every accounts password in this case which is not very nice..

The code is like this: (SVN commit: 6001)

class PasswordResetForm(oldforms.Manipulator):

"A form that lets a user request a password reset"
def init(self):

self.fields = (

oldforms.EmailField(field_name="email", length=40, is_required=True,

validator_list=[self.isValidUserEmail]),

)

def isValidUserEmail(self, new_data, all_data):

"Validates that a user exists with the given e-mail address"
self.users_cache = list(User.objects.filter(emailiexact=new_data))
if len(self.users_cache) == 0:

raise validators.ValidationError, _("That e-mail address doesn't have an associated user account. Are you sure you've registered?")

def save(self, domain_override=None, email_template_name='registration/password_reset_email.html'):

"Calculates a new password randomly and sends it to the user"
from django.core.mail import send_mail
for user in self.users_cache:

new_pass = User.objects.make_random_password()
user.set_password(new_pass)
user.save()
if not domain_override:

current_site = Site.objects.get_current()
site_name = current_site.name
domain = current_site.domain

else:

site_name = domain = domain_override

t = loader.get_template(email_template_name)
c = {

'new_password': new_pass,
'email': user.email,
'domain': domain,
'site_name': site_name,
'user': user,
}

send_mail('Password reset on %s' % site_name, t.render(Context(c)), None, [user.email])

Change History (10)

comment:1 Changed 8 years ago by Alper KANAT <alperkanat@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 8 years ago by ubernostrum

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #4235.

comment:3 Changed 8 years ago by ubernostrum

  • Resolution duplicate deleted
  • Status changed from closed to reopened

Never mind, wrong issue.

comment:4 Changed 7 years ago by SmileyChris

  • Summary changed from PasswordResetForm Issue to Password reset form resets passwords for all users sharing an email address
  • Triage Stage changed from Unreviewed to Accepted

I agree, the current solution is rather poor.

More than just that, I would much prefer a system which emailed the user a list of their usernames, with links (containing a secret key) to reset the related passwords, rather than just blatantly resetting passwords without any confirmation.

I'll accept, but it's up to someone to come up with a good solution (against newforms-admin).

comment:5 Changed 7 years ago by favo <favo@…>

Why not just changing user model email to unique? Benefits:

  • just revert 'Password reset loop set new password' changeset to keep it simple, although other people could give more friendly solution
  • user could signin with email.

comment:6 Changed 7 years ago by anonymous

What if a user wanted separate accounts(one for admin work and one for normal work, for example)? Would they have to register with separate e-mail addresses?

comment:7 Changed 7 years ago by anonymous

  • Cc yatiohi@… added

comment:8 Changed 6 years ago by patriciomolina@…

We're facing this problem right now. Any thoughts?

comment:9 Changed 5 years ago by gmorehoudh

Given the stance in #7591 that email will not be enforced to be unique by default, this bug needs addressing.

comment:10 Changed 5 years ago by lukeplant

  • Resolution set to fixed
  • Status changed from reopened to closed

I don't understand why this needs to be fixed, now that #7723 has been fixed. No passwords are reset until the link in the e-mail is clicked. If there is a complaint about the usability of the current system (e.g. the number of e-mails sent out etc, I can't remember exactly how it works), please file another bug.

Thanks!

Note: See TracTickets for help on using tickets.
Back to Top