Closed Mike-Heneghan closed 5 years ago
Currently, if a user tries to reset a password on an account that doesn't exist then they get the reset confirmation page anyway as below:
Information on password_reset: https://docs.djangoproject.com/en/1.11/topics/auth/default/
"If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm and use the form_class attribute."
Although the current process of seeing a successful reset message despite the email not being associated with an ALISS account could be misleading for users it does serve a purpose. As per the Django documentation quoted above, this stops information being leaked to attackers.
As this is a security feature the behaviour will not be overwritten.
Should be inbuilt functionality which needs to be investigated. Check the form object or something of that type.