Skip to content
Permalink
Browse files Browse the repository at this point in the history
Do not show validation error on password reset
This can leak information whether account exists or not.

Fixes #1317

Signed-off-by: Michal Čihař <michal@cihar.com>
  • Loading branch information
nijel committed Jan 17, 2017
1 parent e95eacf commit abe0d2a
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 0 deletions.
17 changes: 17 additions & 0 deletions weblate/accounts/tests/test_registration.py
Expand Up @@ -210,6 +210,23 @@ def test_reset(self):

self.assert_registration('[Weblate] Password reset on Weblate')

def test_reset_nonexisting(self):
'''
Test for password reset.
'''
response = self.client.get(
reverse('password_reset'),
)
self.assertContains(response, 'Reset my password')
response = self.client.post(
reverse('password_reset'),
{
'email': 'test@example.com'
}
)
self.assertRedirects(response, reverse('email-sent'))
self.assertEqual(len(mail.outbox), 0)

def test_reset_twice(self):
'''
Test for password reset.
Expand Down
2 changes: 2 additions & 0 deletions weblate/accounts/views.py
Expand Up @@ -572,6 +572,8 @@ def reset_password(request):

request.session['password_reset'] = True
return complete(request, 'email')
else:
return redirect('email-sent')
else:
form = ResetForm()

Expand Down

0 comments on commit abe0d2a

Please sign in to comment.