This project is archived. Its data is read-only.

Commit 0c850e28 authored Oct 19, 2013 by Claude Paroz

[1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.

Backport of 5f525903 from master.

parent 742585b5

django/contrib/auth/forms.py

+3 −2

Original line number	Diff line number	Diff line
		@@ -228,8 +228,9 @@ class PasswordResetForm(forms.Form):
		from django.core.mail import send_mail
		UserModel = get_user_model()
		email = self.cleaned_data["email"]
		users = UserModel._default_manager.filter(email__iexact=email)
		for user in users:
		active_users = UserModel._default_manager.filter(
		email__iexact=email, is_active=True)
		for user in active_users:
		# Make sure that no email is sent to a user that actually has
		# a password marked as unusable
		if not user.has_usable_password():

django/contrib/auth/tests/test_forms.py

+1 −0

Original line number	Diff line number	Diff line
		@@ -401,6 +401,7 @@ class PasswordResetFormTest(TestCase):
		user.save()
		form = PasswordResetForm({'email': email})
		self.assertTrue(form.is_valid())
		form.save()
		self.assertEqual(len(mail.outbox), 0)

		def test_unusable_password(self):