On Fri, Jun 27, 2008 at 8:31 PM, Simon Willison <[EMAIL PROTECTED]> wrote: > I've got code for this lying round which I'd be happy to donate if > people agree this is the right approach.
I personally much prefer this approach. I've worked in a couple communities where personal attacks were quite frequent, and a common tactic was to claim a password was lost on someone else's account. It didn't give them access to the account in question, but it would adequately lock the person out if they happened to visit the site prior to checking their email. Of course, sites like that also tended to have password change forms that accepted GET requests, and didn't have sufficient XSS protection. As you can imagine, wackiness ensued. -Gul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---