[PATCH 1 of 3 v2] privacy: on password reset, don't tell strangers if email is valid or not
Andrew Shadura
andrew at shadura.me
Sun Jun 7 07:14:40 EDT 2015
# HG changeset patch
# User Andrew Shadura <andrew at shadura.me>
# Date 1431787037 -7200
# Sat May 16 16:37:17 2015 +0200
# Node ID 9b7a12fef6f4922730fb9e690e0567a6a4b32473
# Parent d7f13c2a28bacccdab00745a8dccf39fa4c40e31
privacy: on password reset, don't tell strangers if email is valid or not
Password reset form might be used to check if users with specific email
addresses have accounts in the system by requesting their password to be
reset. It's probably not a good idea to give this sort of information to
complete strangers.
diff --git a/kallithea/model/forms.py b/kallithea/model/forms.py
--- a/kallithea/model/forms.py
+++ b/kallithea/model/forms.py
@@ -202,7 +202,7 @@ def PasswordResetForm():
class _PasswordResetForm(formencode.Schema):
allow_extra_fields = True
filter_extra_fields = True
- email = All(v.ValidSystemEmail(), v.Email(not_empty=True))
+ email = v.Email(not_empty=True)
return _PasswordResetForm
More information about the kallithea-general
mailing list