Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #9213 - Added check to prevent inactive users from resetting th…

…eir password. Thanks to John Scott for report and draft patch, and Evgeny Fadeev for final patch with test.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15805 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 7d71a9e45fa85bff15501057b69440b4dfae688d 1 parent fd2f180
Carl Meyer authored March 14, 2011
7  django/contrib/auth/forms.py
@@ -109,10 +109,13 @@ class PasswordResetForm(forms.Form):
109 109
 
110 110
     def clean_email(self):
111 111
         """
112  
-        Validates that a user exists with the given e-mail address.
  112
+        Validates that an active user exists with the given e-mail address.
113 113
         """
114 114
         email = self.cleaned_data["email"]
115  
-        self.users_cache = User.objects.filter(email__iexact=email)
  115
+        self.users_cache = User.objects.filter(
  116
+                                email__iexact=email,
  117
+                                is_active=True
  118
+                            )
116 119
         if len(self.users_cache) == 0:
117 120
             raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?"))
118 121
         return email
24  django/contrib/auth/tests/forms.py
@@ -219,6 +219,15 @@ class PasswordResetFormTest(TestCase):
219 219
 
220 220
     fixtures = ['authtestdata.json']
221 221
 
  222
+    def create_dummy_user(self):
  223
+        """creates a user and returns a tuple
  224
+        (user_object, username, email)
  225
+        """
  226
+        username = 'jsmith'
  227
+        email = 'jsmith@example.com'
  228
+        user = User.objects.create_user(username, email, 'test123')
  229
+        return (user, username, email)
  230
+
222 231
     def test_invalid_email(self):
223 232
         data = {'email':'not valid'}
224 233
         form = PasswordResetForm(data)
@@ -236,11 +245,11 @@ def test_nonexistant_email(self):
236 245
 
237 246
     def test_cleaned_data(self):
238 247
         # Regression test
239  
-        user = User.objects.create_user("jsmith3", "jsmith3@example.com", "test123")
240  
-        data = {'email':'jsmith3@example.com'}
  248
+        (user, username, email) = self.create_dummy_user()
  249
+        data = {'email': email}
241 250
         form = PasswordResetForm(data)
242 251
         self.assertTrue(form.is_valid())
243  
-        self.assertEqual(form.cleaned_data['email'], u'jsmith3@example.com')
  252
+        self.assertEqual(form.cleaned_data['email'], email)
244 253
 
245 254
 
246 255
     def test_bug_5605(self):
@@ -250,3 +259,12 @@ def test_bug_5605(self):
250 259
         self.assertEqual(user.email, 'tesT@example.com')
251 260
         user = User.objects.create_user('forms_test3', 'tesT', 'test')
252 261
         self.assertEqual(user.email, 'tesT')
  262
+
  263
+    def test_inactive_user(self):
  264
+        #tests that inactive user cannot
  265
+        #receive password reset email
  266
+        (user, username, email) = self.create_dummy_user()
  267
+        user.is_active = False
  268
+        user.save()
  269
+        form = PasswordResetForm({'email': email})
  270
+        self.assertFalse(form.is_valid())

0 notes on commit 7d71a9e

Please sign in to comment.
Something went wrong with that request. Please try again.