mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-26 19:41:11 +00:00
Update password reset copy so as not to reveal whether the email exists
A malicious user could use this to test which email addresses are in the user database.
This commit is contained in:
parent
96bf99034c
commit
fd5e513ad6
3 changed files with 10 additions and 5 deletions
|
@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
|
|||
env = Env()
|
||||
env.read_env()
|
||||
DOMAIN = env("DOMAIN")
|
||||
VERSION = "0.4.1"
|
||||
VERSION = "0.4.2"
|
||||
|
||||
RELEASE_API = env(
|
||||
"RELEASE_API",
|
||||
|
|
|
@ -9,7 +9,13 @@
|
|||
<div class="block">
|
||||
<h1 class="title">{% trans "Reset Password" %}</h1>
|
||||
|
||||
{% if message %}<p class="notification is-primary">{{ message }}</p>{% endif %}
|
||||
{% if sent_message %}
|
||||
<p class="notification is-primary">
|
||||
{% blocktrans trimmed %}
|
||||
A password reset link will be sent to <strong>{{ email }}</strong> if there is an account using that email address.
|
||||
{% endblocktrans %}
|
||||
</p>
|
||||
{% endif %}
|
||||
|
||||
<p>{% trans "A link to reset your password will be sent to your email address" %}</p>
|
||||
<form name="password-reset" method="post" action="/password-reset">
|
||||
|
|
|
@ -3,7 +3,6 @@ from django.contrib.auth import login
|
|||
from django.core.exceptions import PermissionDenied
|
||||
from django.shortcuts import redirect
|
||||
from django.template.response import TemplateResponse
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from django.views import View
|
||||
|
||||
from bookwyrm import models
|
||||
|
@ -24,12 +23,13 @@ class PasswordResetRequest(View):
|
|||
def post(self, request):
|
||||
"""create a password reset token"""
|
||||
email = request.POST.get("email")
|
||||
data = {"sent_message": True, "email": email}
|
||||
try:
|
||||
user = models.User.viewer_aware_objects(request.user).get(
|
||||
email=email, email__isnull=False
|
||||
)
|
||||
except models.User.DoesNotExist:
|
||||
data = {"error": _("No user with that email address was found.")}
|
||||
# Showing an error message would leak whether or not this email is in use
|
||||
return TemplateResponse(
|
||||
request, "landing/password_reset_request.html", data
|
||||
)
|
||||
|
@ -40,7 +40,6 @@ class PasswordResetRequest(View):
|
|||
# create a new reset code
|
||||
code = models.PasswordReset.objects.create(user=user)
|
||||
password_reset_email(code)
|
||||
data = {"message": _(f"A password reset link was sent to {email}")}
|
||||
return TemplateResponse(request, "landing/password_reset_request.html", data)
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue