Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their pas…

…swords

Thanks kz26 for the report and the suggested fix. Refs #19758.

Backport of 5f52590 from master.
  • Loading branch information...
commit 0c850e28858016b5890ae83a6ec6880614b306a2 1 parent 742585b
@claudep claudep authored
View
5 django/contrib/auth/forms.py
@@ -228,8 +228,9 @@ def save(self, domain_override=None,
from django.core.mail import send_mail
UserModel = get_user_model()
email = self.cleaned_data["email"]
- users = UserModel._default_manager.filter(email__iexact=email)
- for user in users:
+ active_users = UserModel._default_manager.filter(
+ email__iexact=email, is_active=True)
+ for user in active_users:
# Make sure that no email is sent to a user that actually has
# a password marked as unusable
if not user.has_usable_password():
View
1  django/contrib/auth/tests/test_forms.py
@@ -401,6 +401,7 @@ def test_inactive_user(self):
user.save()
form = PasswordResetForm({'email': email})
self.assertTrue(form.is_valid())
+ form.save()
self.assertEqual(len(mail.outbox), 0)
def test_unusable_password(self):

0 comments on commit 0c850e2

Please sign in to comment.
Something went wrong with that request. Please try again.