This change allows password reset with any email address associated with the
account.
The password reset will only be sent to the active email addresses associated
with the account.
Fixes#5057
* fix: Only send password reset email to known, active addresses
Limits password reset to Users with a Person and at least one active
address on file. Avoids the possibility of sending a password reset to
a spoofed address as in CVE-2019-19844.
* test: Use factory instead of explicit construction
* test: Test that a User with no Person cannot reset password
* fix: Fix handling of User.person field when it's null
* test: Test that reset emails are sent to known, active addresses
* chore: Use codespell to fix typos in code.
Second part of replacement of #4651
@rjsparks, I probably need to revert some things here, and I also
still need to add that new migration - how do I do that?
* Revert migrations
* Migrate "Whitelisted" to "Allowlisted"
* TEST_COVERAGE_MASTER_FILE -> TEST_COVERAGE_MAIN_FILE
* Fix permissions
* Add suggestions from @jennifer-richards
* fix: remove help/personal-information and the prompt-for-consent email management command.
* fix: remove gdpr treatment except for consent checkbox. Rename Submit.
* fix: drom the consent column from Person and Person.History
* fix: remove the consent boolean. Reorganize the account info form.
* chore: reorder migrations
* refactor: replace datetime.now with timezone.now
* refactor: migrate model fields to use timezone.now as default
* refactor: replace datetime.today with timezone.now
datetime.datetime.today() is equivalent to datetime.datetime.now(); both
return a naive datetime with the current local time.
* refactor: rephrase datetime.now(tz) as timezone.now().astimezone(tz)
This is effectively the same, but is less likely to encourage accidental
use of naive datetimes.
* refactor: revert datetime.today() change to old migrations
* refactor: change a missed datetime.now to timezone.now
* chore: renumber timezone_now migration
* chore: renumber migrations
* feat: add pronouns
* fix: include migrations
* fix: correct daggers on person form.
* fix: clean pronouns
* feat: add choices to pronouns
* feat: show pronouns on public profile
* feat: add pronouns to oidc userinfo
* fix: move pronouns to new claim. Add tests.
* fix: improve html generated by new widget
* feat: use a MultiWidget for pronouns
* refactor: use two fields on Person for the two types of pronoun entry.
* chore: update copyrights
From Kesara Rathnayake: Expire password reset links on use, password change through other mechanics, login, or a short configurable time (initially one hour). Patched in at 7.45.0.p2.
- Legacy-Id: 19968
Note: SVN reference [19967] has been migrated to Git commit 682392081bddbd1b8653df9135388e6b7c48ee1c
Use temporary directories instead of 'real' filesystem for tests. Fixes#3414.
- Legacy-Id: 19561
Note: SVN reference [19555] has been migrated to Git commit 81d9234d54
