do not store username in password reset tokens (#49131)
This commit is contained in:
parent
71183a9730
commit
f904f03a57
|
@ -806,8 +806,8 @@ def build_reset_password_url(user, request=None, next_url=None, set_random_passw
|
|||
user.save()
|
||||
lifetime = settings.PASSWORD_RESET_TIMEOUT_DAYS * 3600 * 24
|
||||
# invalidate any token associated with this user
|
||||
Token.objects.filter(kind='pw-reset', content__user=user.pk, content__email=user.email, content__username=user.username).delete()
|
||||
token = Token.create('pw-reset', {'user': user.pk, 'email': user.email, 'username': user.username}, duration=lifetime)
|
||||
Token.objects.filter(kind='pw-reset', content__user=user.pk, content__email=user.email).delete()
|
||||
token = Token.create('pw-reset', {'user': user.pk, 'email': user.email}, duration=lifetime)
|
||||
reset_url = make_url(
|
||||
'password_reset_confirm',
|
||||
kwargs={'token': token.uuid_b64url},
|
||||
|
|
|
@ -680,8 +680,7 @@ class PasswordResetView(FormView):
|
|||
|
||||
# if an email has already been sent, warn once before allowing resend
|
||||
token = models.Token.objects.filter(
|
||||
Q(content__email__iexact=email) | Q(content__username__iexact=email),
|
||||
kind='pw-reset', expires__gt=timezone.now()
|
||||
kind='pw-reset', content__email=email, expires__gt=timezone.now()
|
||||
).exists()
|
||||
resend_key = 'pw-reset-allow-resend'
|
||||
if app_settings.A2_TOKEN_EXISTS_WARNING and token and not self.request.session.get(resend_key):
|
||||
|
|
Loading…
Reference in New Issue