[4.0.x] Fixed #33443 -- Clarified when PasswordResetView sends an email.

Backport of b55ebe3241 from main
This commit is contained in:
Brad Solomon 2021-09-09 08:11:51 -04:00 committed by Mariusz Felisiak
parent 92e1018178
commit 519b6d6070
1 changed files with 14 additions and 11 deletions

View File

@ -1281,10 +1281,20 @@ implementation details see :ref:`using-the-views`.
that can be used to reset the password, and sending that link to the that can be used to reset the password, and sending that link to the
user's registered email address. user's registered email address.
If the email address provided does not exist in the system, this view This view will send an email if the following conditions are met:
won't send an email, but the user won't receive any error message either.
This prevents information leaking to potential attackers. If you want to * The email address provided exists in the system.
provide an error message in this case, you can subclass * The requested user is active (``User.is_active`` is ``True``).
* The requested user has a usable password. Users flagged with an unusable
password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password`) aren't
allowed to request a password reset to prevent misuse when using an
external authentication source like LDAP.
If any of these conditions are *not* met, no email will be sent, but the
user won't receive any error message either. This prevents information
leaking to potential attackers. If you want to provide an error message in
this case, you can subclass
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
``form_class`` attribute. ``form_class`` attribute.
@ -1298,13 +1308,6 @@ implementation details see :ref:`using-the-views`.
that allows to send emails asynchronously, e.g. `django-mailer that allows to send emails asynchronously, e.g. `django-mailer
<https://pypi.org/project/django-mailer/>`_. <https://pypi.org/project/django-mailer/>`_.
Users flagged with an unusable password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
allowed to request a password reset to prevent misuse when using an
external authentication source like LDAP. Note that they won't receive any
error message since this would expose their account's existence but no
mail will be sent either.
**Attributes:** **Attributes:**
.. attribute:: template_name .. attribute:: template_name