#23793: Password Reset is confusing
--------------------------------------+------------------------------------
Reporter: collinanderson | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: 1.6
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by erikr):
* easy: 0 => 1
Comment:
* I agree completely that the existing situation is confusing to users and
developers.
* We should indeed document how to recreate the old situation where
explicit errors are raised if no e-mail was sent.
* We should also explicitly document this silent error behaviour on the
pages where we describe the templates to create for password reset.
* Note that an account not existing is not the only case now where no
e-mail is sent (without error): this is also the case if the account is
inactive or has an unusable password.
* I am completely opposed to sending an e-mail if there is no match. That
would turn any Django site into a trivial spam machine, and I think there
may also be security implications, but not entirely sure on that.
--
Ticket URL: <https://code.djangoproject.com/ticket/23793#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/072.1fdd05e211e9f6c6616c0137d4324953%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
