mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed #33443 -- Clarified when PasswordResetView sends an email.
This commit is contained in:
parent
0a17666045
commit
b55ebe3241
@ -1281,10 +1281,20 @@ implementation details see :ref:`using-the-views`.
|
||||
that can be used to reset the password, and sending that link to the
|
||||
user's registered email address.
|
||||
|
||||
If the email address provided does not exist in the system, this view
|
||||
won't send an email, but the user won't receive any error message either.
|
||||
This prevents information leaking to potential attackers. If you want to
|
||||
provide an error message in this case, you can subclass
|
||||
This view will send an email if the following conditions are met:
|
||||
|
||||
* The email address provided exists in the system.
|
||||
* The requested user is active (``User.is_active`` is ``True``).
|
||||
* The requested user has a usable password. Users flagged with an unusable
|
||||
password (see
|
||||
:meth:`~django.contrib.auth.models.User.set_unusable_password`) aren't
|
||||
allowed to request a password reset to prevent misuse when using an
|
||||
external authentication source like LDAP.
|
||||
|
||||
If any of these conditions are *not* met, no email will be sent, but the
|
||||
user won't receive any error message either. This prevents information
|
||||
leaking to potential attackers. If you want to provide an error message in
|
||||
this case, you can subclass
|
||||
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the
|
||||
``form_class`` attribute.
|
||||
|
||||
@ -1298,13 +1308,6 @@ implementation details see :ref:`using-the-views`.
|
||||
that allows to send emails asynchronously, e.g. `django-mailer
|
||||
<https://pypi.org/project/django-mailer/>`_.
|
||||
|
||||
Users flagged with an unusable password (see
|
||||
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
|
||||
allowed to request a password reset to prevent misuse when using an
|
||||
external authentication source like LDAP. Note that they won't receive any
|
||||
error message since this would expose their account's existence but no
|
||||
mail will be sent either.
|
||||
|
||||
**Attributes:**
|
||||
|
||||
.. attribute:: template_name
|
||||
|
Loading…
Reference in New Issue
Block a user