search

Mike-Heneghan / ALISS

ALISS (A Local Information System for Scotland) is a service to help you find help and support close to you when you need it most.
https://aliss.org
0 stars 0 forks source link

Create error when the email address for a password reset is invalid. #54

Closed Mike-Heneghan closed 5 years ago

Mike-Heneghan commented 5 years ago

Should be inbuilt functionality which needs to be investigated. Check the form object or something of that type.

Mike-Heneghan commented 5 years ago

Currently, if a user tries to reset a password on an account that doesn't exist then they get the reset confirmation page anyway as below:

Screenshot 2019-03-22 at 17 17 20 Screenshot 2019-03-22 at 17 18 04 Screenshot 2019-03-22 at 17 17 55
Mike-Heneghan commented 5 years ago

Information on password_reset: https://docs.djangoproject.com/en/1.11/topics/auth/default/

"If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm and use the form_class attribute."

Mike-Heneghan commented 5 years ago

Although the current process of seeing a successful reset message despite the email not being associated with an ALISS account could be misleading for users it does serve a purpose. As per the Django documentation quoted above, this stops information being leaked to attackers.

As this is a security feature the behaviour will not be overwritten.