innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed #33443 -- Clarified when PasswordResetView sends an email.

This commit is contained in:
Brad Solomon 2021-09-09 08:11:51 -04:00 committed by Mariusz Felisiak
parent 0a17666045
commit b55ebe3241
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/topics/auth/default.txt
View File

@ -1281,10 +1281,20 @@ implementation details see :ref:`using-the-views`.
that can be used to reset the password, and sending that link to the that can be used to reset the password, and sending that link to the
user's registered email address. user's registered email address.
If the email address provided does not exist in the system, this view This view will send an email if the following conditions are met:
won't send an email, but the user won't receive any error message either.
This prevents information leaking to potential attackers. If you want to * The email address provided exists in the system.
provide an error message in this case, you can subclass * The requested user is active (``User.is_active`` is ``True``).
* The requested user has a usable password. Users flagged with an unusable
password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password`) aren't
allowed to request a password reset to prevent misuse when using an
external authentication source like LDAP.
If any of these conditions are *not* met, no email will be sent, but the
user won't receive any error message either. This prevents information
leaking to potential attackers. If you want to provide an error message in
this case, you can subclass
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
``form_class`` attribute. ``form_class`` attribute.
@ -1298,13 +1308,6 @@ implementation details see :ref:`using-the-views`.
that allows to send emails asynchronously, e.g. `django-mailer that allows to send emails asynchronously, e.g. `django-mailer
<https://pypi.org/project/django-mailer/>`_. <https://pypi.org/project/django-mailer/>`_.
Users flagged with an unusable password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
allowed to request a password reset to prevent misuse when using an
external authentication source like LDAP. Note that they won't receive any
error message since this would expose their account's existence but no
mail will be sent either.
**Attributes:** **Attributes:**
.. attribute:: template_name .. attribute:: template_name