Auth password reset tests are too restrictive about template requirements
|Reported by:||mtredinnick||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The tests in django.contrib.auth.tests.views.PasswordResetTest check for a correct "failure to submit" with an invalid email address by looking for a particular error message string. The problem is that this string actually reveals that a particular email address isn't on the system. So if somebody writes a password reset template for their own sites that doesn't reveal the presence or absence of a user (an ITS requirement in some organisations, e.g. financial sites), there is no way to have that test pass.
So we need to come up with a better way to test for "success" (i.e. failure to submit the form) when the email address doesn't exist in the system. Possibly just easing back and checking for the existence of form.errors in the template rendering will be enough (or the existence of that error message in the context used for rendering), rather than checking the actual string output so carefully is enough. But maybe somebody has another idea.
Change History (15)
comment:1 Changed 7 years ago by jacob
- milestone changed from 1.0 maybe to post-1.0
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:12 Changed 3 years ago by Claude Paroz <claude@…>
- Resolution set to fixed
- Status changed from new to closed