Re: PasswordResetView not validating existing emails

2020-01-08 Thread Kye Russell
As I recall, and correct me I’d I’m wrong, but Django’s auth package doesn’t contain user registration views. Thus while I understand your point it does not serve as justification to change this functionality in the core auth code. It is inherent in the functionality of a typical user registra

Re: PasswordResetView not validating existing emails

2020-01-08 Thread Sanyam Mittal
Those enumeration attacks can be also be done on Sign-up page as Sign-up page if Sign-up page uses email ID to register. Mostly Sign-up pages contains Email fields in them. Secondly there are many (majority) websites which are keeping these Validators on PasswordReset so why don't we keep that defa

Re: PasswordResetView not validating existing emails

2020-01-08 Thread Fran Hrženjak
FWIW, for me the question here is why isn't Django applying the same protection agains enumeration attacks on sign-up pages? On Thursday, 9 January 2020 02:08:16 UTC+1, SANYAM MITTAL wrote: > > PasswordResetView returns a success message for emails not in database > also. > > *Problems Faced*

Re: PasswordResetView not validating existing emails

2020-01-08 Thread Kye Russell
This is an intentional protection against enumeration attacks. Kye Russell Sent from my iPhone > On 9 Jan 2020, at 9:08 am, SANYAM MITTAL wrote: > >  > PasswordResetView returns a success message for emails not in database also. > > Problems Faced > > If the user is not Registered but strong

PasswordResetView not validating existing emails

2020-01-08 Thread SANYAM MITTAL
PasswordResetView returns a success message for emails not in database also. Problems Faced 1. If the user is not Registered but strongly thinks they are registered and have forgotten the password they would keep trying to get Reset email. 2. If they've typed a wrong email in PasswordResetForm. T

Re: GDAPS

2020-01-08 Thread Aymeric Augustin
Hello Christian, > On 5 Jan 2020, at 14:30, Christian González > wrote: > > And to be honest - does this really make sense to urge people - writing more > code to satisfy the framework? > What I mean is: Why don't you drop that recommendation - when noone is using > it - more than one AppConf

Re: Extent of async integration into 3.0

2020-01-08 Thread Jure Erznožnik
I am sorry, it seems I misunderstood that "reply to list" (quick way of entering the "to" field) with subject change would create a new thread. I'm not really used to mailing lists. LP, Jure On 08/01/2020 10:31, Javier Buzzi wrote: What does this have to do with what Johan Schiff asked about

Re: Extent of async integration into 3.0

2020-01-08 Thread Javier Buzzi
What does this have to do with what Johan Schiff asked about "customizable urlize"? On Tuesday, January 7, 2020 at 1:55:00 PM UTC+1, Jure Erznožnik wrote: > > I've been monitoring this list for a bit, enough to see that 3.x is now > moving in the async direction. > > Is there a roadmap as to wh