mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-11-30 05:21:08 +00:00
Code Issues Projects Releases Wiki Activity

Update password reset copy so as not to reveal whether the email exists

Browse source 
A malicious user could use this to test which email addresses are in the
user database.
This commit is contained in:
Mouse Reeve 2022-07-06 19:34:00 -07:00
parent 96bf99034c
commit fd5e513ad6
3 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bookwyrm/settings.py
View file

@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
env = Env() env = Env()
env.read_env() env.read_env()
DOMAIN = env("DOMAIN") DOMAIN = env("DOMAIN")
VERSION = "0.4.1" VERSION = "0.4.2"
RELEASE_API = env( RELEASE_API = env(
"RELEASE_API", "RELEASE_API",

8
bookwyrm/templates/landing/password_reset_request.html
View file

@ -9,7 +9,13 @@
<div class="block"> <div class="block">
<h1 class="title">{% trans "Reset Password" %}</h1> <h1 class="title">{% trans "Reset Password" %}</h1>
{% if message %}<p class="notification is-primary">{{ message }}</p>{% endif %} {% if sent_message %}
<p class="notification is-primary">
{% blocktrans trimmed %}
A password reset link will be sent to <strong>{{ email }}</strong> if there is an account using that email address.
{% endblocktrans %}
</p>
{% endif %}
<p>{% trans "A link to reset your password will be sent to your email address" %}</p> <p>{% trans "A link to reset your password will be sent to your email address" %}</p>
<form name="password-reset" method="post" action="/password-reset"> <form name="password-reset" method="post" action="/password-reset">

5
bookwyrm/views/landing/password.py
View file

@ -3,7 +3,6 @@ from django.contrib.auth import login
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.shortcuts import redirect from django.shortcuts import redirect
from django.template.response import TemplateResponse from django.template.response import TemplateResponse
from django.utils.translation import gettext_lazy as _
from django.views import View from django.views import View
from bookwyrm import models from bookwyrm import models
@ -24,12 +23,13 @@ class PasswordResetRequest(View):
def post(self, request): def post(self, request):
"""create a password reset token""" """create a password reset token"""
email = request.POST.get("email") email = request.POST.get("email")
data = {"sent_message": True, "email": email}
try: try:
user = models.User.viewer_aware_objects(request.user).get( user = models.User.viewer_aware_objects(request.user).get(
email=email, email__isnull=False email=email, email__isnull=False
) )
except models.User.DoesNotExist: except models.User.DoesNotExist:
data = {"error": _("No user with that email address was found.")} # Showing an error message would leak whether or not this email is in use
return TemplateResponse( return TemplateResponse(
request, "landing/password_reset_request.html", data request, "landing/password_reset_request.html", data
) )
@ -40,7 +40,6 @@ class PasswordResetRequest(View):
# create a new reset code # create a new reset code
code = models.PasswordReset.objects.create(user=user) code = models.PasswordReset.objects.create(user=user)
password_reset_email(code) password_reset_email(code)
data = {"message": _(f"A password reset link was sent to {email}")}
return TemplateResponse(request, "landing/password_reset_request.html", data) return TemplateResponse(request, "landing/password_reset_request.html", data)