- pretends to have sent the email with the URL to change the password
regardless of whether or not the email was actually sent. This
avoids leaking user information to the browser
{'$or': [{'username': request.POST['username']},
{'email': request.POST['username']}]})
{'$or': [{'username': request.POST['username']},
{'email': request.POST['username']}]})
- if not user:
- fp_form.username.errors.append(
- u"Sorry, the username doesn't exists")
- else:
user['fp_verification_key'] = unicode(uuid.uuid4())
user['fp_token_expire'] = datetime.datetime.now() + \
datetime.timedelta(days=10)
user['fp_verification_key'] = unicode(uuid.uuid4())
user['fp_token_expire'] = datetime.datetime.now() + \
datetime.timedelta(days=10)
send_fp_verification_email(user, request)
send_fp_verification_email(user, request)
- return redirect(request, 'mediagoblin.auth.fp_email_sent')
+ # do not reveal whether or not there is a matching user, just move along
+ return redirect(request, 'mediagoblin.auth.fp_email_sent')
return render_to_response(
request,
return render_to_response(
request,