(BUG?) Password reset statistics

[sowinski]

Hi,

I want to log how many password reset emails are send per day.
(Because I guess there are some bots sending password resets all the time, but I am not sure).

1. Is there somewhere some informations saved on a password reset in the database?
2. If not, where would be the best place to implement my own code?
3. Not sure if this is a bug or a feature but if you enter a non registered address then the system is also sending an e-mail. Why? Can I turn this of?

[pennersr]

Password resets trigger calls to one of:

• get_adapter().send_mail("account/email/unknown_account", email, context)
• get_adapter().send_mail("account/email/password_reset_key", email, context)

So, you could override the adapter send_mail() method and check the template name...

[pennersr]

1. No
2. See above
3. Good UX.

If you're worried about sending too many of these mails, the password reset view is rate limited. You might want to tighten the rate limits.

[sowinski]

Is it possible to disable this feature? It might be good UX but it is in Europe against GDPR laws.

It would be nice, if we could disable this in the settings.

If it is not possible, where would you disable this at all for non registered users? ALso in the send_mail() method?

EDIT: I ended up with this:

    def send_mail(self, template_prefix, email, context):
        if template_prefix == "account/email/unknown_account":
            return

        super(MyDefaultAccountAdapter, self).send_mail(template_prefix, email, context)

[pennersr]

but it is in Europe against GDPR laws.

IANAL, but I doubt this to be true. I can signup on any EU site using your email address, and all those sites will all send you an unsolicited (confirmation) email, and you cannot prevent this.

So yes, you can trick a system into sending an email to somebody that did not ask for it. How are you going to prevent that?

Having said that, given that people feel strongly about this there is some work ongoing in this area here: #3528