On 10/9/07, James Bennett <[EMAIL PROTECTED]> wrote: > > On 10/8/07, Marty Alchin <[EMAIL PROTECTED]> wrote: > > His point is that anyone could trigger that email. And, while you're > > right that only the true user would receive the email, the target > > user's password will get reset regardless. So, if I didn't like you, I > > could put in your email address, and even though I can't access your > > account, I can still lock you out until you receive the email. > > This requires that they know your email address. And you get the email > with the new password, so it's not like you're "locked out" -- you > just have to check your email. The chance of someone actually doing > this, combined with the fact that it doesn't create a security > problem, only a minor inconvenience, would be enough for me to rule it > insignificant.
Agreed. I never said it was a big problem, just that I can see it happening. In fact, I can see it happening on a site I'm building. I expect it would probably happen a lot, actually. But, that's because it's a very strange audience, who have a long history of annoying other members. I certainly don't expect it to be a widespread problem. Now that it's been brought up, I'll probably just write my own reset view, which implements the challenge email method Bill's proposing. I certainly don't think it's enough of a problem to work its way into the registration app itself. Bill, once I have that view ready, I'll put it up on djangosnippets and give you an email. -Gul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
