Open ilkerkesen opened 7 years ago
Have you find a chance to look at this?
I am not sure about Django 1.9 but in Django 1.11 if email does not exist in system it still give that message but it does not try to send any password reset link. The reason it still gives the message is to prevent information leaking to attackers or so django says. It is possible to change it so message says "There are no registered account with that email." but it is considered a feature in django.
So imagine that I've no registered account on the system, but I fill out the forgotten password form. After I submit the form, it gives a message like "we've sent you an password reset mail" currently, but it should be like "there is no registered account with email address foo@bar.com".