From 7d71a9e45fa85bff15501057b69440b4dfae688d Mon Sep 17 00:00:00 2001 From: Carl Meyer Date: Mon, 14 Mar 2011 21:14:10 +0000 Subject: [PATCH] Fixed #9213 - Added check to prevent inactive users from resetting their password. Thanks to John Scott for report and draft patch, and Evgeny Fadeev for final patch with test. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15805 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/auth/forms.py | 7 +++++-- django/contrib/auth/tests/forms.py | 24 +++++++++++++++++++++--- 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index 74732799e7..3dcbd8480c 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -109,10 +109,13 @@ class PasswordResetForm(forms.Form): def clean_email(self): """ - Validates that a user exists with the given e-mail address. + Validates that an active user exists with the given e-mail address. """ email = self.cleaned_data["email"] - self.users_cache = User.objects.filter(email__iexact=email) + self.users_cache = User.objects.filter( + email__iexact=email, + is_active=True + ) if len(self.users_cache) == 0: raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?")) return email diff --git a/django/contrib/auth/tests/forms.py b/django/contrib/auth/tests/forms.py index 5aa49e09c3..6f9e01d127 100644 --- a/django/contrib/auth/tests/forms.py +++ b/django/contrib/auth/tests/forms.py @@ -219,6 +219,15 @@ class PasswordResetFormTest(TestCase): fixtures = ['authtestdata.json'] + def create_dummy_user(self): + """creates a user and returns a tuple + (user_object, username, email) + """ + username = 'jsmith' + email = 'jsmith@example.com' + user = User.objects.create_user(username, email, 'test123') + return (user, username, email) + def test_invalid_email(self): data = {'email':'not valid'} form = PasswordResetForm(data) @@ -236,11 +245,11 @@ class PasswordResetFormTest(TestCase): def test_cleaned_data(self): # Regression test - user = User.objects.create_user("jsmith3", "jsmith3@example.com", "test123") - data = {'email':'jsmith3@example.com'} + (user, username, email) = self.create_dummy_user() + data = {'email': email} form = PasswordResetForm(data) self.assertTrue(form.is_valid()) - self.assertEqual(form.cleaned_data['email'], u'jsmith3@example.com') + self.assertEqual(form.cleaned_data['email'], email) def test_bug_5605(self): @@ -250,3 +259,12 @@ class PasswordResetFormTest(TestCase): self.assertEqual(user.email, 'tesT@example.com') user = User.objects.create_user('forms_test3', 'tesT', 'test') self.assertEqual(user.email, 'tesT') + + def test_inactive_user(self): + #tests that inactive user cannot + #receive password reset email + (user, username, email) = self.create_dummy_user() + user.is_active = False + user.save() + form = PasswordResetForm({'email': email}) + self.assertFalse(form.is_valid())