diff options
| author | Horst Gutmann <hgutmann@netconomy.net> | 2013-02-23 13:39:21 +0100 |
|---|---|---|
| committer | Aymeric Augustin <aymeric.augustin@m4x.org> | 2013-02-23 14:31:21 +0100 |
| commit | 2f4a4703e1931fadf5ed81387b26cf84caf5bef9 (patch) | |
| tree | fc210f8544d89da63e6b92a1ca4b5a7ea657e678 /docs | |
| parent | 7acabbb9800de4492c0ee612a8a0aa784eb07f49 (diff) | |
Fixed #19758 -- Avoided leaking email existence through the password reset form.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/topics/auth/default.txt | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 1a57770b2b..d82731f73b 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -743,10 +743,24 @@ patterns. that can be used to reset the password, and sending that link to the user's registered email address. + If the email address provided does not exist in the system, this view + won't send an email, but the user won't receive any error message either. + This prevents information leaking to potential attackers. If you want to + provide an error message in this case, you can subclass + :class:`~django.contrib.auth.forms.PasswordResetForm` and use the + ``password_reset_form`` argument. + + Users flagged with an unusable password (see :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't allowed to request a password reset to prevent misuse when using an - external authentication source like LDAP. + external authentication source like LDAP. Note that they won't receive any + error message since this would expose their account's existence but no + mail will be sent either. + + .. versionchanged:: 1.6 + Previously, error messages indicated whether a given email was + registered. **URL name:** ``password_reset`` |
