Updating default errors in contrib.auth.forms.PasswordResetForm

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Updating default errors in contrib.auth.forms.PasswordResetForm

Lee Trout
Hi all,

I wasn't sure if it was best to open a ticket or post to the dev group so here I am...

I was curious what others thought about changing the default error in the PasswordResetForm which currently displays "That e-mail address doesn't have an associated user account. Are you sure you've registered?".

I feel like there could be a better default that doesn't expose the fact that an email may or may not be in use. (And that probably goes for the unusable password error, too.)

Relevant bits:
https://github.com/django/django/blob/stable/1.4.x/django/contrib/auth/forms.py#L191

Lee

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/9EylAZDthMsJ.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Reply | Threaded
Open this post in threaded view
|

Re: Updating default errors in contrib.auth.forms.PasswordResetForm

Russell Keith-Magee-4
Hi Lee,

What you propose certainly sounds reasonable -- anything that reduces the exposure of valid accounts to an external source is a good thing, IMHO. 

Did you have an alternative wording to suggest? If you do, please open a ticket. 

Yours,
Russ Magee %-)

On Fri, Nov 2, 2012 at 9:42 PM, Lee Trout <[hidden email]> wrote:
Hi all,

I wasn't sure if it was best to open a ticket or post to the dev group so here I am...

I was curious what others thought about changing the default error in the PasswordResetForm which currently displays "That e-mail address doesn't have an associated user account. Are you sure you've registered?".

I feel like there could be a better default that doesn't expose the fact that an email may or may not be in use. (And that probably goes for the unusable password error, too.)

Relevant bits:

Lee

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/9EylAZDthMsJ.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Reply | Threaded
Open this post in threaded view
|

Re: Updating default errors in contrib.auth.forms.PasswordResetForm

Donald Stufft
The canonical way of handling this so as not to leak information like that is to do exactly the same thing UX wise for success and failures, and just update the message to state that if an email address by that account has been registered they will get an email soon.

On Friday, November 2, 2012 at 9:18 PM, Russell Keith-Magee wrote:

Hi Lee,

What you propose certainly sounds reasonable -- anything that reduces the exposure of valid accounts to an external source is a good thing, IMHO. 

Did you have an alternative wording to suggest? If you do, please open a ticket. 

Yours,
Russ Magee %-)

On Fri, Nov 2, 2012 at 9:42 PM, Lee Trout <[hidden email]> wrote:
Hi all,

I wasn't sure if it was best to open a ticket or post to the dev group so here I am...

I was curious what others thought about changing the default error in the PasswordResetForm which currently displays "That e-mail address doesn't have an associated user account. Are you sure you've registered?".

I feel like there could be a better default that doesn't expose the fact that an email may or may not be in use. (And that probably goes for the unusable password error, too.)

Relevant bits:

Lee

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/9EylAZDthMsJ.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.