Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Password reset not public by default

See original GitHub issue

Urls for login and logout are public if django.contrib.auth is installed but not password_reset, password_reset_done, password_reset_confirm nor password_reset_complete. Could you add theses ? I can make a PR later if you prefer.

Issue Analytics

  • State:open
  • Created 6 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

3reactions
tchamberlincommented, Mar 26, 2019

I just ran into this. For anyone else, it is indeed pretty straightforward to work around.

I set up the following public URLs:

STRONGHOLD_PUBLIC_NAMED_URLS = (
    "password_reset",
    "password_reset_done",
    "password_reset_confirm",
    "password_reset_complete",
)

password_reset_confirm cannot be reversed (since no parameters are given), and fails silently. So, you need to add:

STRONGHOLD_PUBLIC_URLS = ("^/accounts/reset/.*",)

To work around it.

1reaction
pvandegeercommented, Mar 18, 2018

Adding them to settings manually like below doesn’t help. Am I missing something?

STRONGHOLD_PUBLIC_NAMED_URLS = ( 'password_reset', 'password_reset_done', 'password_reset_confirm', 'password_reset_complete', ) The views for password_reset and password_reset_done work. I think the view behind the password_reset_confirm url also initially works when following the link in the password reset e-mail. But the Django PasswordResetConfirmView then redirects to itself with a different token and that seems to get blocked, returning me to my LOGIN_URL.

It works as it should with the stronghold middelware disabled. Using Django 2.0 and Stronghold 0.3.0.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Is there a way to use Django's default password reset without ...
There are some options in django.contrib.auth that allows you to change the password without needing to send an email:.
Read more >
Self-service password reset deep dive - Azure Active Directory
Allow users to unlock accounts without resetting their password. By default, Azure AD unlocks accounts when it performs a password reset. To ...
Read more >
Resetting Passwords - Laravel - The PHP Framework For Web ...
Before using the password reset features of Laravel, your application's App\Models\User model must use the Illuminate\Notifications\Notifiable trait. Typically, ...
Read more >
Is password reset to a known default value GDPR compliant?
The GDPR does not provide specific rules about password resets. ... Resetting the password to a fixed default value is a very grave...
Read more >
Customize Password Reset Page - Auth0
By default, the Password Reset Page is enabled for all Auth0 users. The Password Reset Page works without customization. However, if you want...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How hard would it be to add nested property access?

Next page

Add task shows "quick add" when grouping by priority