summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorBrad Solomon <25164676+bsolomon1124@users.noreply.github.com>2021-09-09 08:11:51 -0400
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2022-01-17 07:44:46 +0100
commitb55ebe32417e0884b6b8b3e1bc0379033aa221af (patch)
tree19f831fe3959cdcd304df3ad4c06c3ea6c936e07 /docs
parent0a17666045de6739ae1c2ac695041823d5f827f7 (diff)
Fixed #33443 -- Clarified when PasswordResetView sends an email.
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/auth/default.txt25
1 files changed, 14 insertions, 11 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 23e0836d85..d099778836 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1281,10 +1281,20 @@ implementation details see :ref:`using-the-views`.
that can be used to reset the password, and sending that link to the
user's registered email address.
- If the email address provided does not exist in the system, this view
- won't send an email, but the user won't receive any error message either.
- This prevents information leaking to potential attackers. If you want to
- provide an error message in this case, you can subclass
+ This view will send an email if the following conditions are met:
+
+ * The email address provided exists in the system.
+ * The requested user is active (``User.is_active`` is ``True``).
+ * The requested user has a usable password. Users flagged with an unusable
+ password (see
+ :meth:`~django.contrib.auth.models.User.set_unusable_password`) aren't
+ allowed to request a password reset to prevent misuse when using an
+ external authentication source like LDAP.
+
+ If any of these conditions are *not* met, no email will be sent, but the
+ user won't receive any error message either. This prevents information
+ leaking to potential attackers. If you want to provide an error message in
+ this case, you can subclass
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the
``form_class`` attribute.
@@ -1298,13 +1308,6 @@ implementation details see :ref:`using-the-views`.
that allows to send emails asynchronously, e.g. `django-mailer
<https://pypi.org/project/django-mailer/>`_.
- Users flagged with an unusable password (see
- :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
- allowed to request a password reset to prevent misuse when using an
- external authentication source like LDAP. Note that they won't receive any
- error message since this would expose their account's existence but no
- mail will be sent either.
-
**Attributes:**
.. attribute:: template_name