Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed #9213 - Added check to prevent inactive users from resetting th…

…eir password. Thanks to John Scott for report and draft patch, and Evgeny Fadeev for final patch with test.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15805 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 7d71a9e45fa85bff15501057b69440b4dfae688d 1 parent fd2f180
@carljm carljm authored
Showing with 26 additions and 5 deletions.
  1. +5 −2 django/contrib/auth/forms.py
  2. +21 −3 django/contrib/auth/tests/forms.py
View
7 django/contrib/auth/forms.py
@@ -109,10 +109,13 @@ class PasswordResetForm(forms.Form):
def clean_email(self):
"""
- Validates that a user exists with the given e-mail address.
+ Validates that an active user exists with the given e-mail address.
"""
email = self.cleaned_data["email"]
- self.users_cache = User.objects.filter(email__iexact=email)
+ self.users_cache = User.objects.filter(
+ email__iexact=email,
+ is_active=True
+ )
if len(self.users_cache) == 0:
raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?"))
return email
View
24 django/contrib/auth/tests/forms.py
@@ -219,6 +219,15 @@ class PasswordResetFormTest(TestCase):
fixtures = ['authtestdata.json']
+ def create_dummy_user(self):
+ """creates a user and returns a tuple
+ (user_object, username, email)
+ """
+ username = 'jsmith'
+ email = 'jsmith@example.com'
+ user = User.objects.create_user(username, email, 'test123')
+ return (user, username, email)
+
def test_invalid_email(self):
data = {'email':'not valid'}
form = PasswordResetForm(data)
@@ -236,11 +245,11 @@ def test_nonexistant_email(self):
def test_cleaned_data(self):
# Regression test
- user = User.objects.create_user("jsmith3", "jsmith3@example.com", "test123")
- data = {'email':'jsmith3@example.com'}
+ (user, username, email) = self.create_dummy_user()
+ data = {'email': email}
form = PasswordResetForm(data)
self.assertTrue(form.is_valid())
- self.assertEqual(form.cleaned_data['email'], u'jsmith3@example.com')
+ self.assertEqual(form.cleaned_data['email'], email)
def test_bug_5605(self):
@@ -250,3 +259,12 @@ def test_bug_5605(self):
self.assertEqual(user.email, 'tesT@example.com')
user = User.objects.create_user('forms_test3', 'tesT', 'test')
self.assertEqual(user.email, 'tesT')
+
+ def test_inactive_user(self):
+ #tests that inactive user cannot
+ #receive password reset email
+ (user, username, email) = self.create_dummy_user()
+ user.is_active = False
+ user.save()
+ form = PasswordResetForm({'email': email})
+ self.assertFalse(form.is_valid())
Please sign in to comment.
Something went wrong with that request. Please try again.