why does password reset works with unregistered email in django?

半世苍凉 提交于 2020-01-06 04:20:11

问题


I have a couple of questions regarding how the password reset works in Django.

  1. How can I do testing on password reset testing during development phase?

  2. The password reset sends email to unregistered email addresses successfully (as appears on screen). I thought it should display "no such registered email address is found" instead of displaying "password reset successful".

  3. Here is the form used for password reset. I am confused from the form action. It submits to itself which is http://127.0.0.1:8000/accounts/password/reset/ but how is that it is redirected to http://127.0.0.1:8000/accounts/password/reset/done/ after submission when it submits to itself.

    {% extends "registration/registration_base.html" %}
    {% load i18n %}
    {% block title %}{% trans "Reset password" %}{% endblock %}
    {% block content %}{% blocktrans %}
    Forgot your password?  Enter your email in the form below and we'll send you
    instructions for creating a new one.{% endblocktrans %}
    <form method='post' action=''>{% csrf_token %}
    <table>
        {{ form }}
        <tr><td></td><td><input type='submit' value="{% trans "Reset password"  %}" /></td></tr>
    </table>
    </form>
    {% endblock %}
    

回答1:


  1. I presume the problem is that your development environment isn't set up to send emails? In that case, add this in your settings_local(or equivalent):

    EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
    

    This will cause emails to be displayed in the runserver terminal. You can copy-paste any links from there.

  2. That is deliberate, to not-allow outside users to poke at the registration form and see whether a particular email has been registered or not. A "privacy feature", I guess we could call it.

  3. POST-ing to the same URL is a standard practice in Django. It is not a requirement, but it just makes sense to do that. It makes sense because that way a single View handles both creating of the Form and receiving the data, see Using a form in a view
    And the redirection happens from the View, deliberately:

    def form_valid(self, request, form):
    
        # blah blah...
    
        return redirect(success_url)
    

    The redirection after a POST is also a standard practice, and not just in Django: http://en.wikipedia.org/wiki/Post/Redirect/Get




回答2:


I doesn't display "no such registered email address is found", as it is the best practice approach against phishing attempts. However, you can always write your own code to check if the given email exists in your DB. As for how the user gets redirected to '/accounts/password/reset/done/', I'd have to see the 'Reset password' view to know for sure.



来源:https://stackoverflow.com/questions/22582066/why-does-password-reset-works-with-unregistered-email-in-django

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!