[PATCH 1 of 3 v2] privacy: on password reset, don't tell strangers if email is valid or not

Andrew Shadura Sun, 07 Jun 2015 04:15:14 -0700

# HG changeset patch
# User Andrew Shadura <and...@shadura.me>
# Date 1431787037 -7200
#      Sat May 16 16:37:17 2015 +0200
# Node ID 9b7a12fef6f4922730fb9e690e0567a6a4b32473
# Parent  d7f13c2a28bacccdab00745a8dccf39fa4c40e31
privacy: on password reset, don't tell strangers if email is valid or not


Password reset form might be used to check if users with specific email
addresses have accounts in the system by requesting their password to be
reset. It's probably not a good idea to give this sort of information to
complete strangers.

diff --git a/kallithea/model/forms.py b/kallithea/model/forms.py
--- a/kallithea/model/forms.py
+++ b/kallithea/model/forms.py
@@ -202,7 +202,7 @@ def PasswordResetForm():
     class _PasswordResetForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
-        email = All(v.ValidSystemEmail(), v.Email(not_empty=True))
+        email = v.Email(not_empty=True)
     return _PasswordResetForm
 
 
_______________________________________________
kallithea-general mailing list
kallithea-general@sfconservancy.org
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general

[PATCH 1 of 3 v2] privacy: on password reset, don't tell strangers if email is valid or not

Reply via email to