Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset not public by default #71

Open
logut opened this issue Jan 29, 2018 · 6 comments
Open

Password reset not public by default #71

logut opened this issue Jan 29, 2018 · 6 comments

Comments

@logut
Copy link

logut commented Jan 29, 2018

Urls for login and logout are public if django.contrib.auth is installed but not password_reset, password_reset_done, password_reset_confirm nor password_reset_complete.
Could you add theses ? I can make a PR later if you prefer.
@mgrouchy
Copy link
Owner

mgrouchy commented Feb 7, 2018

Total oversight, I will add them!

@mgrouchy
Copy link
Owner

Bah, I have been slow. I am adding this to my todo list right now to resolve. Really sorry about this!

@pvandegeer
Copy link

pvandegeer commented Mar 18, 2018
edited
Loading

Adding them to settings manually like below doesn't help. Am I missing something?

STRONGHOLD_PUBLIC_NAMED_URLS = ( 'password_reset', 'password_reset_done', 'password_reset_confirm', 'password_reset_complete', )
The views for password_reset and password_reset_done work. I think the view behind the password_reset_confirm url also initially works when following the link in the password reset e-mail.
But the Django PasswordResetConfirmView then redirects to itself with a different token and that seems to get blocked, returning me to my LOGIN_URL.

It works as it should with the stronghold middelware disabled. Using Django 2.0 and Stronghold 0.3.0.

@logut
Copy link
Author

logut commented Mar 18, 2018
edited
Loading

@pvandegeer add them not by name but by pattern, related to #33 I think.

@tchamberlin
Copy link

I just ran into this. For anyone else, it is indeed pretty straightforward to work around.

I set up the following public URLs:

STRONGHOLD_PUBLIC_NAMED_URLS = (
    "password_reset",
    "password_reset_done",
    "password_reset_confirm",
    "password_reset_complete",
)

password_reset_confirm cannot be reversed (since no parameters are given), and fails silently. So, you need to add:

STRONGHOLD_PUBLIC_URLS = ("^/accounts/reset/.*",)

To work around it.

@zafercuz
Copy link

zafercuz commented Sep 18, 2020
edited
Loading

For people who are using django-allauth add this to the configs:

STRONGHOLD_PUBLIC_URLS = ("/accounts/password/reset/key/.*", "/accounts/confirm-email/.*",)
STRONGHOLD_PUBLIC_NAMED_URLS = (
    'account_signup',
    'account_login',
    'account_reset_password',
    'account_reset_password_done',
    'account_reset_password_from_key',
    'account_reset_password_from_key_done',
    'account_email_verification_sent',
    'account_confirm_email'
)

@luzfcb luzfcb mentioned this issue Sep 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mgrouchy @pvandegeer @tchamberlin @logut @zafercuz