From 5f52590368063fc8284e23be492d83ba751f66bf Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Sat, 19 Oct 2013 10:40:20 +0200 Subject: [PATCH] Fixed #21291 -- Ensured inactive users cannot reset their passwords Thanks kz26 for the report and the suggested fix. Refs #19758. --- django/contrib/auth/forms.py | 5 +++-- django/contrib/auth/tests/test_forms.py | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index ec70da2910..b13131fc94 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -238,8 +238,9 @@ class PasswordResetForm(forms.Form): from django.core.mail import send_mail UserModel = get_user_model() email = self.cleaned_data["email"] - users = UserModel._default_manager.filter(email__iexact=email) - for user in users: + active_users = UserModel._default_manager.filter( + email__iexact=email, is_active=True) + for user in active_users: # Make sure that no email is sent to a user that actually has # a password marked as unusable if not user.has_usable_password(): diff --git a/django/contrib/auth/tests/test_forms.py b/django/contrib/auth/tests/test_forms.py index de58641226..bf9a002770 100644 --- a/django/contrib/auth/tests/test_forms.py +++ b/django/contrib/auth/tests/test_forms.py @@ -436,6 +436,7 @@ class PasswordResetFormTest(TestCase): user.save() form = PasswordResetForm({'email': email}) self.assertTrue(form.is_valid()) + form.save() self.assertEqual(len(mail.outbox), 0) def test_unusable_password(self):