Merge pull request #145 from mdentremont/topic/131

#131: Do not raise 400 when resetting password for non-existing account
2024-09-21 11:18:49 +03:00 · 2016-01-14 23:53:31 +01:00 · 2016-01-14 23:53:31 +01:00 · 00415301d6
commit 00415301d6
parent 811dc30830 d36a9bc1cb
2 changed files with 4 additions and 4 deletions
--- a/rest_auth/serializers.py
+++ b/rest_auth/serializers.py
@ -151,9 +151,6 @@ class PasswordResetSerializer(serializers.Serializer):
        if not self.reset_form.is_valid():
            raise serializers.ValidationError(_('Error'))

-        if not UserModel.objects.filter(email__iexact=value).exists():
-            raise serializers.ValidationError(_('Invalid e-mail address'))
-
        return value

    def save(self):
--- a/rest_auth/tests/test_api.py
+++ b/rest_auth/tests/test_api.py
@ -280,12 +280,15 @@ class APITestCase1(TestCase, BaseAPITestCase):
        self.assertEqual(len(mail.outbox), mail_count + 1)

    def test_password_reset_with_invalid_email(self):
+        """
+        Invalid email should not raise error, as this would leak users
+        """
        get_user_model().objects.create_user(self.USERNAME, self.EMAIL, self.PASS)

        # call password reset
        mail_count = len(mail.outbox)
        payload = {'email': 'nonexisting@email.com'}
-        self.post(self.password_reset_url, data=payload, status_code=400)
+        self.post(self.password_reset_url, data=payload, status_code=200)
        self.assertEqual(len(mail.outbox), mail_count)

    def test_user_details(self):