misc: send password reset email even if no account (#47469)

2021-03-02 18:02:03 +01:00 · 2021-03-02 18:02:03 +01:00 · 1ae7ac6df7
parent 1192ec0901
commit 1ae7ac6df7
9 changed files with 66 additions and 7 deletions
--- a/src/authentic2/forms/passwords.py
+++ b/src/authentic2/forms/passwords.py
@ -22,6 +22,7 @@ from django.core.exceptions import ValidationError
 from django.db.models import Q
 from django.forms import Form
 from django import forms
+from django.urls import reverse
 from django.utils.translation import ugettext_lazy as _

 from .. import models, hooks, app_settings, utils
@ -45,10 +46,8 @@ class PasswordResetForm(forms.Form):
        user.
        """
        email = self.cleaned_data["email"].strip()
-        users = get_user_queryset()
-        active_users = users.filter(
-            Q(email__iexact=email) | Q(username__iexact=email),
-            is_active=True)
+        users = get_user_queryset().filter(Q(email__iexact=email) | Q(username__iexact=email))
+        active_users = users.filter(is_active=True)
        for user in active_users:
            # we don't set the password to a random string, as some users should not have
            # a password
@ -58,8 +57,10 @@ class PasswordResetForm(forms.Form):
                user,
                set_random_password=set_random_password,
                next_url=self.cleaned_data.get('next_url'))
-        if not active_users:
+        if not users.exists():
            logger.info(u'password reset request for "%s", no user found', email)
+            ctx = {'registration_url': utils.make_url('registration_register', absolute=True)}
+            utils.send_templated_mail(email, ['authentic2/password_reset_no_account'], context=ctx)
        hooks.call_hooks('event', name='password-reset', email=email, users=active_users)


--- a/src/authentic2/templates/authentic2/password_reset_no_account_body.html
+++ b/src/authentic2/templates/authentic2/password_reset_no_account_body.html
@ -0,0 +1,14 @@
+{% extends "emails/body_base.html" %}
+{% load i18n %}
+
+{% block content %}
+<p>{% trans "Hi," %}</p>
+
+<p>{% blocktrans trimmed with hostname=request.get_host %}
+You requested reset of your password on {{ hostname }}, but no account was found associated with this address.
+{% endblocktrans %}</p>
+
+{% with _("Create an account") as button_label %}
+{% include "emails/button-link.html" with url=registration_url label=button_label %}
+{% endwith %}
+{% endblock %}
--- a/src/authentic2/templates/authentic2/password_reset_no_account_body.txt
+++ b/src/authentic2/templates/authentic2/password_reset_no_account_body.txt
@ -0,0 +1,9 @@
+{% extends "emails/body_base.txt" %}
+{% load i18n %}
+
+{% block content %}{% trans "Hi," %}
+{% blocktrans trimmed with hostname=request.get_host %}
+You requested reset of your password on {{ hostname }}, but no account was found associated with this address.
+{% endblocktrans %}
+{% trans "You can create an account here:" %} {{ registration_url }}.
+{% endblock %}
--- a/src/authentic2/templates/authentic2/password_reset_no_account_subject.txt
+++ b/src/authentic2/templates/authentic2/password_reset_no_account_subject.txt
@ -0,0 +1,4 @@
+{% extends "emails/subject.txt" %}
+{% load i18n %}
+
+{% block email-subject %}{% blocktrans with hostname=request.get_host %}Password reset on {{ hostname }}{% endblocktrans %}{% endblock %}
--- a/src/authentic2/templates/emails/body_base.html
+++ b/src/authentic2/templates/emails/body_base.html
@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+</head>
+<body>
+  <div style="max-width: 60ex;">
+    <div class="content">
+      {% block content %}
+      {{ content }}
+      {% endblock %}
+    </div>
+  </div>
+</body>
+</html>
--- a/src/authentic2/templates/emails/body_base.txt
+++ b/src/authentic2/templates/emails/body_base.txt
@ -0,0 +1 @@
+{% block content %}{{ content }}{% endblock %}
--- a/src/authentic2/templates/emails/button-link.html
+++ b/src/authentic2/templates/emails/button-link.html
@ -0,0 +1 @@
+<a href="{{url}}">{{label}}</a>
--- a/src/authentic2/templates/emails/subject.txt
+++ b/src/authentic2/templates/emails/subject.txt
@ -0,0 +1 @@
+{% block email-subject %}{% endblock %}
--- a/tests/test_password_reset.py
+++ b/tests/test_password_reset.py
@ -103,7 +103,7 @@ def test_user_filter(app, simple_user, mailoutbox, settings):
    resp.form.set('email', simple_user.email)
    assert len(mailoutbox) == 0
    resp = resp.form.submit()
-    assert len(mailoutbox) == 0
+    assert 'no account was found associated with this address' in mailoutbox[0].body


 def test_user_exclude(app, simple_user, mailoutbox, settings):
@ -114,7 +114,7 @@ def test_user_exclude(app, simple_user, mailoutbox, settings):
    resp.form.set('email', simple_user.email)
    assert len(mailoutbox) == 0
    resp = resp.form.submit()
-    assert len(mailoutbox) == 0
+    assert 'no account was found associated with this address' in mailoutbox[0].body


 def test_old_url_redirect(app):
@ -122,3 +122,16 @@ def test_old_url_redirect(app):
    assert response.location == '/accounts/password/reset/'
    response = response.follow()
    assert 'please reset your password again' in response
+
+
+def test_send_password_reset_email_no_account(app, db, mailoutbox):
+    url = reverse('password_reset')
+    resp = app.get(url, status=200)
+    resp.form.set('email', 'test@entrouvert.com')
+    resp = resp.form.submit()
+
+    mail = mailoutbox[0]
+    assert mail.subject == 'Password reset on testserver'
+    for body in (mail.body, mail.alternatives[0][0]):
+        assert 'no account was found associated with this address' in body
+        assert 'http://testserver/accounts/register/' in body
				`@ -0,0 +1 @@`
				`{% block content %}{{ content }}{% endblock %}`