Opened 18 years ago

Closed 17 years ago

#4235 closed (fixed)

User emails are not unique in contrib.auth. Password_reset is based on emails.

Reported by: Oscar <ochen@…> Owned by: Adrian Holovaty
Component: Contrib apps Version: dev
Severity: Keywords: password auth registration
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In the auth contrib, password_reset works based on email addresses. The model does not ask that emails remain unique however by default. Instead it asks for unique usernames. The password_reset form errors if there are more than one user with the same email. It should probably therefore be based off of username and perhaps optionally display the email address the automatically generated password was emailed to.

Change History (2)

comment:1 by Chris Beaven, 18 years ago

Triage Stage: UnreviewedDesign decision needed

You're right, either the reset form or the model should change.

-1 on displaying the email address -- that's giving away confidential information.

Another solution would be changing the way the reset form works so it doesn't reset the password until confirmation is received (protected with some hash). Then the reset email could contain multiple usernames asking the user which password (if any) they would like to reset.

I'll leave as a design decision until the way to solve this is decided.

comment:2 by James Bennett, 17 years ago

Resolution: fixed
Status: newclosed

Closing fixed since [5493] changed the behavior when more than one user has the same email address -- all users at that address are reset. A complaint about that is in #5272.

Note: See TracTickets for help on using tickets.
Back to Top