summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorHorst Gutmann <hgutmann@netconomy.net>2013-02-23 13:39:21 +0100
committerAymeric Augustin <aymeric.augustin@m4x.org>2013-02-23 14:31:21 +0100
commit2f4a4703e1931fadf5ed81387b26cf84caf5bef9 (patch)
treefc210f8544d89da63e6b92a1ca4b5a7ea657e678 /docs
parent7acabbb9800de4492c0ee612a8a0aa784eb07f49 (diff)
Fixed #19758 -- Avoided leaking email existence through the password reset form.
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/auth/default.txt16
1 files changed, 15 insertions, 1 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 1a57770b2b..d82731f73b 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -743,10 +743,24 @@ patterns.
that can be used to reset the password, and sending that link to the
user's registered email address.
+ If the email address provided does not exist in the system, this view
+ won't send an email, but the user won't receive any error message either.
+ This prevents information leaking to potential attackers. If you want to
+ provide an error message in this case, you can subclass
+ :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
+ ``password_reset_form`` argument.
+
+
Users flagged with an unusable password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
allowed to request a password reset to prevent misuse when using an
- external authentication source like LDAP.
+ external authentication source like LDAP. Note that they won't receive any
+ error message since this would expose their account's existence but no
+ mail will be sent either.
+
+ .. versionchanged:: 1.6
+ Previously, error messages indicated whether a given email was
+ registered.
**URL name:** ``password_reset``