fix(account/forms): Don't send password reset to inactive user

pennersr · Dec 18, 2019 · 845aa57 · 845aa57
1 parent 9ec5a54
commit 845aa57
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/allauth/account/forms.py b/allauth/account/forms.py
@@ -499,7 +499,7 @@ class ResetPasswordForm(forms.Form):
     def clean_email(self):
         email = self.cleaned_data["email"]
         email = get_adapter().clean_email(email)
-        self.users = filter_users_by_email(email)
+        self.users = filter_users_by_email(email, is_active=True)
         if not self.users:
             raise forms.ValidationError(_("The e-mail address is not assigned"
                                           " to any user account"))

diff --git a/allauth/account/tests.py b/allauth/account/tests.py
@@ -1219,6 +1219,20 @@ def test_login_on_confirm_uuid_user(self, mocked_gum, mock_perform_login):
         assert mock_perform_login.called
 
 
+class TestResetPasswordForm(TestCase):
+
+    def test_user_email_not_sent_inactive_user(self):
+        User = get_user_model()
+        User.objects.create_user(
+            'mike123',
+            'mike@ixample.org',
+            'test123',
+            is_active=False)
+        data = {'email': 'mike@ixample.org'}
+        form = ResetPasswordForm(data)
+        self.assertFalse(form.is_valid())
+
+
 class TestCVE2019_19844(TestCase):
 
     global_request = RequestFactory().get('/')

diff --git a/allauth/account/utils.py b/allauth/account/utils.py
@@ -381,7 +381,7 @@ def filter_users_by_username(*username):
     return ret
 
 
-def filter_users_by_email(email):
+def filter_users_by_email(email, is_active=None):
     """Return list of users by email address
 
     Typically one, at most just a few in length.  First we look through
@@ -391,13 +391,18 @@ def filter_users_by_email(email):
     from .models import EmailAddress
     User = get_user_model()
     mails = EmailAddress.objects.filter(email__iexact=email)
+    if is_active is not None:
+        mails = mails.filter(user__is_active=is_active)
     users = []
     for e in mails.prefetch_related('user'):
         if _unicode_ci_compare(e.email, email):
             users.append(e.user)
     if app_settings.USER_MODEL_EMAIL_FIELD:
         q_dict = {app_settings.USER_MODEL_EMAIL_FIELD + '__iexact': email}
-        for user in User.objects.filter(**q_dict).iterator():
+        user_qs = User.objects.filter(**q_dict)
+        if is_active is not None:
+            user_qs = user_qs.filter(is_active=is_active)
+        for user in user_qs.iterator():
             user_email = getattr(user, app_settings.USER_MODEL_EMAIL_FIELD)
             if _unicode_ci_compare(user_email, email):
                 users.append(user)