Fixed #21291 -- Ensured inactive users cannot reset their passwords
Thanks kz26 for the report and the suggested fix. Refs #19758.
This commit is contained in:
parent
59a8808632
commit
5f52590368
|
@ -238,8 +238,9 @@ class PasswordResetForm(forms.Form):
|
||||||
from django.core.mail import send_mail
|
from django.core.mail import send_mail
|
||||||
UserModel = get_user_model()
|
UserModel = get_user_model()
|
||||||
email = self.cleaned_data["email"]
|
email = self.cleaned_data["email"]
|
||||||
users = UserModel._default_manager.filter(email__iexact=email)
|
active_users = UserModel._default_manager.filter(
|
||||||
for user in users:
|
email__iexact=email, is_active=True)
|
||||||
|
for user in active_users:
|
||||||
# Make sure that no email is sent to a user that actually has
|
# Make sure that no email is sent to a user that actually has
|
||||||
# a password marked as unusable
|
# a password marked as unusable
|
||||||
if not user.has_usable_password():
|
if not user.has_usable_password():
|
||||||
|
|
|
@ -436,6 +436,7 @@ class PasswordResetFormTest(TestCase):
|
||||||
user.save()
|
user.save()
|
||||||
form = PasswordResetForm({'email': email})
|
form = PasswordResetForm({'email': email})
|
||||||
self.assertTrue(form.is_valid())
|
self.assertTrue(form.is_valid())
|
||||||
|
form.save()
|
||||||
self.assertEqual(len(mail.outbox), 0)
|
self.assertEqual(len(mail.outbox), 0)
|
||||||
|
|
||||||
def test_unusable_password(self):
|
def test_unusable_password(self):
|
||||||
|
|
Loading…
Reference in New Issue