Hi there,
I was using Django’s default PasswordResetDoneView and PasswordResetCompleteView, but now I want to add some little extra behavior in these view, that is to change user.is_active attribute to False in PasswordResetDoneView and reset user.is_active back to True in PasswordResetCompleteView.
I looked up for it on internet and found already questions related to this on this forum, where I found this links: PasswordResetConfirmView -- Classy CBV
and
PasswordResetCompleteView -- Classy CBV
But I am not sure which method to override and how to override to get my desired behavior without changing the default behavior, or more specifically add my desired behavior in the default behavior.
I think that could be a security problem, if you mark a user as is_active to False in the PasswordResetDoneView, every person with access to your user’s emails address will be able to let them without the possibility of Login in the system.
@Rigo-Villalta Are you sure about it? Does not the default login system of Django requires users to have is_active as True in order to login?
Yes, that’s what I am talking about. If some person enter in the recovery view and type your email, and after that you try to Login in the system you wouldn’t do it, you will have to go to your mail and change your password. That could be uncomfortable if there is some guy entering emails a lot.
No data is under risk, but could give a good headache.
Actually, I set the password reset timeout to 1 hour. And I have already made the condition in PasswordResetView to change the user status to active when allocated time to password reset link runs out. So, I don’t think that there will be any issue.
How are you doing that? Are you running a cron job every minute to see if the password links time out? (What event is going to cause that code to run to reset the status?)
Also note that if is_active is False, the system will not send a password reset email to them.
I’m probably more curious to find out what problem or issue you’re trying to solve by doing this.
I just wrote a simple condition that if time is greater than the allocated time, then change status of is_active to True. But oh, I just understood what you said. It means if user never opens the reset password link again then his status will never be changed to active again. So, now I want to know what is this cron job and how can I easily implement it for this short task?
The reason I want to change user active status to False when he request for password reset link is because if while user is on his/her way to reset password, someone who knows his/her password does not try to log in to the system. Would cron job be the good solution or should I go for 2FA (Two Factor Authentication)?
If you’re not familiar with cron, start here - cron - Wikipedia
Regarding your second question (2FA or not), “security” is not a binary situation. It’s not a question of you are or are not secure - it’s all a matter of degree.
What is the value of the data being protected? What are the effects if an account is compromised? Those risks are what need to be evaluated, and the degree to which accounts need to be secured should be based on that assessment. (And, the security of an account could be dependent upon the permissions granted to that account.)
1 Like