[PATCH] privacy: on password reset, don't tell strangers if email is valid or not

Andrew Shadura andrew at shadura.me
Sat May 16 10:37:42 EDT 2015


# HG changeset patch
# User Andrew Shadura <andrew at shadura.me>
# Date 1431787037 -7200
#      Sat May 16 16:37:17 2015 +0200
# Node ID 388a6eada55925cb55cd2368e47a6115d833b4c1
# Parent  93de511e84fe940786acf468789a77daed83a461
privacy: on password reset, don't tell strangers if email is valid or not

Password reset form might be used to check if users with specific email
addresses have accounts in the system by requesting their password to be
reset. It's probably not a good idea to give this sort of information to
complete strangers.

diff --git a/kallithea/model/forms.py b/kallithea/model/forms.py
--- a/kallithea/model/forms.py
+++ b/kallithea/model/forms.py
@@ -202,7 +202,7 @@ def PasswordResetForm():
     class _PasswordResetForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
-        email = All(v.ValidSystemEmail(), v.Email(not_empty=True))
+        email = v.Email(not_empty=True)
     return _PasswordResetForm
 
 


More information about the kallithea-general mailing list