On Wed, 2007-11-07 at 19:11 -0600, James Bennett wrote: > On Nov 7, 2007 7:08 PM, James Bennett <[EMAIL PROTECTED]> wrote: > > Which means that this basically boils down to an annoyance attack, > > changing a user's password without their knowledge. But that's already > > exposed to anyone who can guess the user's email address, so anyone > > who simply wants to cause this sort of mischief already has a much > > easier route to accomplish it. > > Sent too soon; I was going to explain that this comes up in the > password reset view, which simply accepts an email address and resets > the account(s) associated with it.
The fact that that is also broken (which is very much my view) doesn't the other problem, though. Malcolm -- Quantum mechanics: the dreams stuff is made of. http://www.pointy-stick.com/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---