From d36a9bc1cbd43af52f43f36dedeed7b6c1e8f7c0 Mon Sep 17 00:00:00 2001
From: Matt d'Entremont <mattdentremont@gmail.com>
Date: Mon, 4 Jan 2016 10:17:47 -0400
Subject: [PATCH] #131: Do not raise 400 when resetting password for
 non-existing account

- Do not raises validation error if email doesn't exist
- Update unit test
---
 rest_auth/serializers.py    | 3 ---
 rest_auth/tests/test_api.py | 5 ++++-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rest_auth/serializers.py b/rest_auth/serializers.py
index a2d1a82..4896d3c 100644
--- a/rest_auth/serializers.py
+++ b/rest_auth/serializers.py
@@ -115,9 +115,6 @@ class PasswordResetSerializer(serializers.Serializer):
         if not self.reset_form.is_valid():
             raise serializers.ValidationError(_('Error'))
 
-        if not UserModel.objects.filter(email__iexact=value).exists():
-            raise serializers.ValidationError(_('Invalid e-mail address'))
-
         return value
 
     def save(self):
diff --git a/rest_auth/tests/test_api.py b/rest_auth/tests/test_api.py
index b64cf8c..222178c 100644
--- a/rest_auth/tests/test_api.py
+++ b/rest_auth/tests/test_api.py
@@ -234,12 +234,15 @@ class APITestCase1(TestCase, BaseAPITestCase):
         self.assertEqual(len(mail.outbox), mail_count + 1)
 
     def test_password_reset_with_invalid_email(self):
+        """
+        Invalid email should not raise error, as this would leak users
+        """
         get_user_model().objects.create_user(self.USERNAME, self.EMAIL, self.PASS)
 
         # call password reset
         mail_count = len(mail.outbox)
         payload = {'email': 'nonexisting@email.com'}
-        self.post(self.password_reset_url, data=payload, status_code=400)
+        self.post(self.password_reset_url, data=payload, status_code=200)
         self.assertEqual(len(mail.outbox), mail_count)
 
     def test_user_details(self):