[1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.

Backport of 5f5259036 from master.
This commit is contained in:
Claude Paroz 2013-10-19 10:40:20 +02:00
parent 742585b59c
commit 0c850e2885
2 changed files with 4 additions and 2 deletions

View File

@ -228,8 +228,9 @@ class PasswordResetForm(forms.Form):
from django.core.mail import send_mail from django.core.mail import send_mail
UserModel = get_user_model() UserModel = get_user_model()
email = self.cleaned_data["email"] email = self.cleaned_data["email"]
users = UserModel._default_manager.filter(email__iexact=email) active_users = UserModel._default_manager.filter(
for user in users: email__iexact=email, is_active=True)
for user in active_users:
# Make sure that no email is sent to a user that actually has # Make sure that no email is sent to a user that actually has
# a password marked as unusable # a password marked as unusable
if not user.has_usable_password(): if not user.has_usable_password():

View File

@ -401,6 +401,7 @@ class PasswordResetFormTest(TestCase):
user.save() user.save()
form = PasswordResetForm({'email': email}) form = PasswordResetForm({'email': email})
self.assertTrue(form.is_valid()) self.assertTrue(form.is_valid())
form.save()
self.assertEqual(len(mail.outbox), 0) self.assertEqual(len(mail.outbox), 0)
def test_unusable_password(self): def test_unusable_password(self):