Closed mhogg closed 8 years ago
I think the password reset view is useless if a user is logged in. A user could user the password change view to change his/her password. If someone by accident access the password reset view an indication of the situation that is in my opinion wrong should be raised. Maybe a 403 code is not the right one. Wikipedia says:
A web server may return a 403 Forbidden HTTP status code in response to a request
from a client for a web page or resource to indicate that the server can be reached and
understood the request, but refuses to take any further action. Status code 403
responses are the result of the web server being configured to deny access, for some
reason, to the requested resource by the client.
And that is the case here. The password reset page is there for people who have lost their password and are NOT logged in.
what do you think?
Yes, you are right that a reset is useless for a user that is logged in. I think I jumped the gun here, probably because the 403 does not give any indication as to what is wrong. Perhaps an error message informing the user that they are already logged in?
An error message informing the user that they are already logged in! That sound's right to me. Wanna update your PR or open another issue?
Currently if a user is logged in (such that user.is_authenticated=True), then get 403 error for password/reset view. There should be a 'not' added such that a 403 error results only if the user is not logged in