0

Sorry if the title of this post isn't self-explanatory enough. I've implemented a simple blog application using Django in which I've added the functionality of sending password reset emails in case the users forget their login credentials.

For the sake of clarity, assume that I have two users who are already registered: user1 and user2, and their emails are: user1@mail.com and user2@mail.com.

The problem occurs when I give my default PasswordResetView an email that does not belong to any of my users, say userX@mail.com. And when I go and log into that email address, I indeed see that I received the password reset email, which I definitely shouldn't have.

So, my question is, how can I modify my PasswordResetView so that it first checks whether the given email address actually belongs to one of the existing users and if not, gives back an error?

My project's urls.py file:

from django.contrib import admin
from django.contrib.auth import views as auth_views
from django.urls import path, include
from users import views as user_views
from django.conf import settings
from django.conf.urls.static import static

urlpatterns = [
    path("admin/", admin.site.urls),
    path("blog/", include("blog.urls")),
    path("register/", user_views.register, name="register"),
    path("login/", auth_views.LoginView.as_view(template_name='users/login.html'), name="login"),
    path("logout/", auth_views.LogoutView.as_view(template_name='users/logout.html'), name="logout"),
    path("password-reset/", auth_views.PasswordResetView.as_view(template_name='users/password_reset.html'), name="password_reset"),
    path("password-reset/done/", auth_views.PasswordResetDoneView.as_view(template_name='users/password_reset_done.html'), name="password_reset_done"),
    path("password-reset-complete/", auth_views.PasswordResetCompleteView.as_view(template_name='users/password_reset_complete.html'), name="password_reset_complete"),
    path("password-reset-confirm/<uidb64>/<token>/", auth_views.PasswordResetConfirmView.as_view(template_name='users/password_reset_confirm.html'), name="password_reset_confirm"),
    path("profile/", user_views.profile, name="profile"),
]

if settings.DEBUG:
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

My password_reset.html file:

{% extends 'blog/base.html' %}
{% load crispy_forms_tags %}
{% block content %}
    <div class="content-section">
        <form method="POST">
            {% csrf_token %}

            <fieldset class="form-group">
                <legend class="border-bottom mb-4">Reset Password</legend>
                {{ form|crispy }}
            </fieldset>
            <div class="form-group">
                <button class="btn btn-outline-info" type="submit">Request Password Reset</button>
            </div>
        </form>
    </div>
{% endblock content %}

The code I used to configure my email settings in my settings.py is:

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = os.environ.get('EMAIL_USER')
EMAIL_HOST_PASSWORD = os.environ.get('EMAIL_PASS')
Mert Ozturk
  • 409
  • 1
  • 5
  • 17
  • arbitrary, anyone can use *forgot password* link and can type random emails. You don't have to tell them that the entered email isn't in your Database. – JPG Jul 10 '20 at 07:16
  • See https://stackoverflow.com/questions/27734185/inform-user-that-email-is-invalid-using-djangos-password-reset – Aayush Agrawal Jul 10 '20 at 07:19

0 Answers0