Do not use email field if it is empty

Polytechnique-org / xorgauth

Polytechnique.org Authentication / Authorization provider

GNU Affero General Public License v3.0

1 stars 5 forks source link

Do not use email field if it is empty #83

Closed fishilico closed 6 years ago

fishilico commented 6 years ago

When the email address (or username) entered into the password reset form is empty, "cleaned_data = super(PasswordResetFrom, self).clean()" drop this field, but PasswordResetFrom.clean() expects cleaned_data['email'] to be present. Remove such an assumption.

It is currently easy to trigger an HTTP 500 error by entering a space in the recovery email form field.

elinorbgr commented 6 years ago

Just wondering, is it normal that in the happy path, PasswordResetFrom.clean() returns nothing?

fishilico commented 6 years ago

Good point. Returning None works because if email is not present, self._errors['email'] would be populated. Anyway the function should return the return value of the parent class here.