why does password reset works with unregistered email in django?

Question

I have a couple of questions regarding how the password reset works in Django.

1. How can I do testing on password reset testing during development phase?

2. The password reset sends email to unregistered email addresses successfully (as appears on screen). I thought it should display "no such registered email address is found" instead of displaying "password reset successful".

3. Here is the form used for password reset. I am confused from the form action. It submits to itself which is http://127.0.0.1:8000/accounts/password/reset/ but how is that it is redirected to http://127.0.0.1:8000/accounts/password/reset/done/ after submission when it submits to itself.

   {% extends "registration/registration_base.html" %}
   {% load i18n %}
   {% block title %}{% trans "Reset password" %}{% endblock %}
   {% block content %}{% blocktrans %}
   Forgot your password?  Enter your email in the form below and we'll send you
   instructions for creating a new one.{% endblocktrans %}
   <form method='post' action=''>{% csrf_token %}
   <table>
       {{ form }}
       <tr><td></td><td><input type='submit' value="{% trans "Reset password"  %}" /></td></tr>
   </table>
   </form>
   {% endblock %}
   

Answer 1

1. I presume the problem is that your development environment isn't set up to send emails? In that case, add this in your settings_local(or equivalent):

   EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
   

   This will cause emails to be displayed in the runserver terminal. You can copy-paste any links from there.

2. That is deliberate, to not-allow outside users to poke at the registration form and see whether a particular email has been registered or not. A "privacy feature", I guess we could call it.

3. POST-ing to the same URL is a standard practice in Django. It is not a requirement, but it just makes sense to do that. It makes sense because that way a single View handles both creating of the Form and receiving the data, see Using a form in a view
   And the redirection happens from the View, deliberately:

   def form_valid(self, request, form):
   
       # blah blah...
   
       return redirect(success_url)
   

   The redirection after a POST is also a standard practice, and not just in Django: http://en.wikipedia.org/wiki/Post/Redirect/Get

Answer 2

I doesn't display "no such registered email address is found", as it is the best practice approach against phishing attempts. However, you can always write your own code to check if the given email exists in your DB. As for how the user gets redirected to '/accounts/password/reset/done/', I'd have to see the 'Reset password' view to know for sure.