p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Refs #28248 -- Clarified the precision of PASSWORD_RESET_TIMEOUT_DAYS.

This commit is contained in:
Tim Graham 2017-10-12 14:58:18 -04:00 committed by GitHub
parent f90be0a83e
commit 0edff2107f
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
django/contrib/auth/tokens.py
View File

@ -41,7 +41,11 @@ class PasswordResetTokenGenerator:
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token): if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
return False return False
# Check the timestamp is within limit # Check the timestamp is within limit. Timestamps are rounded to
# midnight (server time) providing a resolution of only 1 day. If a
# link is generated 5 minutes before midnight and used 6 minutes later,
# that counts as 1 day. Therefore, PASSWORD_RESET_TIMEOUT_DAYS = 1 means
# "at least 1 day, could be up to 2."
if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS: if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
return False return False

6
docs/ref/settings.txt
View File

@ -2807,8 +2807,10 @@ the URL in two places (``settings`` and URLconf).
Default: ``3`` Default: ``3``
The number of days a password reset link is valid for. Used by the The minimum number of days a password reset link is valid for. Depending on
:mod:`django.contrib.auth` password reset mechanism. when the link is generated, it will be valid for up to a day longer.
Used by the :class:`~django.contrib.auth.views.PasswordResetConfirmView`.
.. setting:: PASSWORD_HASHERS .. setting:: PASSWORD_HASHERS