Hi, I'd like to use contrib.auth's password reset feature, but wouldn't like to expose my user id. Since user ids (even if they start at an arbitrary number) can be used to deduce the size of the userbase and growth rate, I think it's easy enough to justify this at least as an option.
To fix this, I'd like to suggest the token generator (see django.contrib.auth.tokens) be made in charge of creating a single token of whatever form it wishes, and the token would be the only information revealed to the user. The token generator will also be incharge of receiving the token, and returning a user object if the token is valid. If you will look at django.contrib.auth.forms.PasswordResetForm, you will see it sends the user both the uid (encoded to base36) and the token, and the token generator expects to be fed the user object from the outside. Does this make sense? I don't mind submitting a patch, but it will break custom token generators' APIs (or we add a somewhat ugly backwards-compatibility check). At the moment, I believe I'm forced to replace the whole form and the token generator, as well as wrap the view. - Yaniv -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
