From 1285ca67eba96045b4f6fe6f5c7fd6570571f1bd Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Wed, 2 Oct 2013 13:28:15 -0400
Subject: [PATCH] Fixed #16919 -- Passed user to set_password_form in GET
 requests.

Thanks Jaime Irurzun for the report and initial patch and
ejucovy for the test.
---
 .../registration/password_reset_confirm.html     |  4 +++-
 django/contrib/auth/tests/test_views.py          | 16 ++++++++++++++++
 django/contrib/auth/views.py                     |  2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/django/contrib/auth/tests/templates/registration/password_reset_confirm.html b/django/contrib/auth/tests/templates/registration/password_reset_confirm.html
index 8f06c577934..42677d6766a 100644
--- a/django/contrib/auth/tests/templates/registration/password_reset_confirm.html
+++ b/django/contrib/auth/tests/templates/registration/password_reset_confirm.html
@@ -1,5 +1,7 @@
+Hello, {{ form.user }}.
+
 {% if validlink %}
 Please enter your new password: {{ form }}
 {% else %}
 The password reset link was invalid
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/django/contrib/auth/tests/test_views.py b/django/contrib/auth/tests/test_views.py
index 0ee36e00825..16c695c7fde 100644
--- a/django/contrib/auth/tests/test_views.py
+++ b/django/contrib/auth/tests/test_views.py
@@ -307,6 +307,22 @@ class PasswordResetTest(AuthViewsTestCase):
         self.assertEqual(response.status_code, 302)
         self.assertURLEqual(response.url, '/password_reset/')
 
+    def test_confirm_display_user_from_form(self):
+        url, path = self._test_confirm_start()
+        response = self.client.get(path)
+
+        # #16919 -- The ``password_reset_confirm`` view should pass the user
+        # object to the ``SetPasswordForm``, even on GET requests.
+        # For this test, we render ``{{ form.user }}`` in the template
+        # ``registration/password_reset_confirm.html`` so that we can test this.
+        username = User.objects.get(email='staffmember@example.com').username
+        self.assertContains(response, "Hello, %s." % username)
+
+        # However, the view should NOT pass any user object on a form if the
+        # password reset link was invalid.
+        response = self.client.get('/reset/zzzzzzzzzzzzz/1-1/')
+        self.assertContains(response, "Hello, .")
+
 
 @override_settings(AUTH_USER_MODEL='auth.CustomUser')
 class CustomUserPasswordResetTest(AuthViewsTestCase):
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py
index d5f15138c41..d20e0615388 100644
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@@ -216,7 +216,7 @@ def password_reset_confirm(request, uidb64=None, token=None,
                 form.save()
                 return HttpResponseRedirect(post_reset_redirect)
         else:
-            form = set_password_form(None)
+            form = set_password_form(user)
     else:
         validlink = False
         form = None