问题
I have a couple of questions regarding how the password reset works in Django.
How can I do testing on password reset testing during development phase?
The password reset sends email to unregistered email addresses successfully (as appears on screen). I thought it should display "no such registered email address is found" instead of displaying "password reset successful".
Here is the form used for password reset. I am confused from the form action. It submits to itself which is
http://127.0.0.1:8000/accounts/password/reset/
but how is that it is redirected tohttp://127.0.0.1:8000/accounts/password/reset/done/
after submission when it submits to itself.{% extends "registration/registration_base.html" %} {% load i18n %} {% block title %}{% trans "Reset password" %}{% endblock %} {% block content %}{% blocktrans %} Forgot your password? Enter your email in the form below and we'll send you instructions for creating a new one.{% endblocktrans %} <form method='post' action=''>{% csrf_token %} <table> {{ form }} <tr><td></td><td><input type='submit' value="{% trans "Reset password" %}" /></td></tr> </table> </form> {% endblock %}
回答1:
I presume the problem is that your development environment isn't set up to send emails? In that case, add this in your
settings_local
(or equivalent):EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
This will cause emails to be displayed in the runserver terminal. You can copy-paste any links from there.
That is deliberate, to not-allow outside users to poke at the registration form and see whether a particular email has been registered or not. A "privacy feature", I guess we could call it.
POST-ing to the same URL is a standard practice in Django. It is not a requirement, but it just makes sense to do that. It makes sense because that way a single View handles both creating of the
Form
and receiving the data, see Using a form in a view
And the redirection happens from the View, deliberately:def form_valid(self, request, form): # blah blah... return redirect(success_url)
The redirection after a POST is also a standard practice, and not just in Django: http://en.wikipedia.org/wiki/Post/Redirect/Get
回答2:
I doesn't display "no such registered email address is found", as it is the best practice approach against phishing attempts. However, you can always write your own code to check if the given email exists in your DB. As for how the user gets redirected to '/accounts/password/reset/done/', I'd have to see the 'Reset password' view to know for sure.
来源:https://stackoverflow.com/questions/22582066/why-does-password-reset-works-with-unregistered-email-in-django