id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 5272 Password reset form resets passwords for all users sharing an email address Alper KANAT nobody "In /contrib/auth/forms.py (line 89) it loops through the users found. So if I have 2 or more accounts with the same e-mail address (because the emailfield in Users model is not unique) it would change every accounts password in this case which is not very nice.. The code is like this: (SVN commit: 6001) class PasswordResetForm(oldforms.Manipulator): ""A form that lets a user request a password reset"" def __init__(self): self.fields = ( oldforms.EmailField(field_name=""email"", length=40, is_required=True, validator_list=[self.isValidUserEmail]), ) def isValidUserEmail(self, new_data, all_data): ""Validates that a user exists with the given e-mail address"" self.users_cache = list(User.objects.filter(email__iexact=new_data)) if len(self.users_cache) == 0: raise validators.ValidationError, _(""That e-mail address doesn't have an associated user account. Are you sure you've registered?"") def save(self, domain_override=None, email_template_name='registration/password_reset_email.html'): ""Calculates a new password randomly and sends it to the user"" from django.core.mail import send_mail for user in self.users_cache: new_pass = User.objects.make_random_password() user.set_password(new_pass) user.save() if not domain_override: current_site = Site.objects.get_current() site_name = current_site.name domain = current_site.domain else: site_name = domain = domain_override t = loader.get_template(email_template_name) c = { 'new_password': new_pass, 'email': user.email, 'domain': domain, 'site_name': site_name, 'user': user, } send_mail('Password reset on %s' % site_name, t.render(Context(c)), None, [user.email]) " closed Contrib apps dev fixed password reset form yatiohi@… Accepted 0 0 0 0 0 0