Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.
  • Loading branch information...
commit 5f52590368063fc8284e23be492d83ba751f66bf 1 parent 59a8808
Claude Paroz authored October 19, 2013
5  django/contrib/auth/forms.py
@@ -238,8 +238,9 @@ def save(self, domain_override=None,
238 238
         from django.core.mail import send_mail
239 239
         UserModel = get_user_model()
240 240
         email = self.cleaned_data["email"]
241  
-        users = UserModel._default_manager.filter(email__iexact=email)
242  
-        for user in users:
  241
+        active_users = UserModel._default_manager.filter(
  242
+            email__iexact=email, is_active=True)
  243
+        for user in active_users:
243 244
             # Make sure that no email is sent to a user that actually has
244 245
             # a password marked as unusable
245 246
             if not user.has_usable_password():
1  django/contrib/auth/tests/test_forms.py
@@ -436,6 +436,7 @@ def test_inactive_user(self):
436 436
         user.save()
437 437
         form = PasswordResetForm({'email': email})
438 438
         self.assertTrue(form.is_valid())
  439
+        form.save()
439 440
         self.assertEqual(len(mail.outbox), 0)
440 441
 
441 442
     def test_unusable_password(self):

0 notes on commit 5f52590

Please sign in to comment.
Something went wrong with that request. Please try again.