From 845aa5730636c07b305af0d28e6ea8c530f81657 Mon Sep 17 00:00:00 2001
From: Raymond Penners <raymond.penners@intenct.nl>
Date: Wed, 18 Dec 2019 15:08:03 +0100
Subject: [PATCH] fix(account/forms): Don't send password reset to inactive
 user

---
 allauth/account/forms.py |  2 +-
 allauth/account/tests.py | 14 ++++++++++++++
 allauth/account/utils.py |  9 +++++++--
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/allauth/account/forms.py b/allauth/account/forms.py
index aa792b092b..8c4f29dfe2 100644
--- a/allauth/account/forms.py
+++ b/allauth/account/forms.py
@@ -499,7 +499,7 @@ class ResetPasswordForm(forms.Form):
     def clean_email(self):
         email = self.cleaned_data["email"]
         email = get_adapter().clean_email(email)
-        self.users = filter_users_by_email(email)
+        self.users = filter_users_by_email(email, is_active=True)
         if not self.users:
             raise forms.ValidationError(_("The e-mail address is not assigned"
                                           " to any user account"))
diff --git a/allauth/account/tests.py b/allauth/account/tests.py
index 7e582374ef..a2b88441d6 100644
--- a/allauth/account/tests.py
+++ b/allauth/account/tests.py
@@ -1219,6 +1219,20 @@ def test_login_on_confirm_uuid_user(self, mocked_gum, mock_perform_login):
         assert mock_perform_login.called
 
 
+class TestResetPasswordForm(TestCase):
+
+    def test_user_email_not_sent_inactive_user(self):
+        User = get_user_model()
+        User.objects.create_user(
+            'mike123',
+            'mike@ixample.org',
+            'test123',
+            is_active=False)
+        data = {'email': 'mike@ixample.org'}
+        form = ResetPasswordForm(data)
+        self.assertFalse(form.is_valid())
+
+
 class TestCVE2019_19844(TestCase):
 
     global_request = RequestFactory().get('/')
diff --git a/allauth/account/utils.py b/allauth/account/utils.py
index 1293078842..27ca06d617 100644
--- a/allauth/account/utils.py
+++ b/allauth/account/utils.py
@@ -381,7 +381,7 @@ def filter_users_by_username(*username):
     return ret
 
 
-def filter_users_by_email(email):
+def filter_users_by_email(email, is_active=None):
     """Return list of users by email address
 
     Typically one, at most just a few in length.  First we look through
@@ -391,13 +391,18 @@ def filter_users_by_email(email):
     from .models import EmailAddress
     User = get_user_model()
     mails = EmailAddress.objects.filter(email__iexact=email)
+    if is_active is not None:
+        mails = mails.filter(user__is_active=is_active)
     users = []
     for e in mails.prefetch_related('user'):
         if _unicode_ci_compare(e.email, email):
             users.append(e.user)
     if app_settings.USER_MODEL_EMAIL_FIELD:
         q_dict = {app_settings.USER_MODEL_EMAIL_FIELD + '__iexact': email}
-        for user in User.objects.filter(**q_dict).iterator():
+        user_qs = User.objects.filter(**q_dict)
+        if is_active is not None:
+            user_qs = user_qs.filter(is_active=is_active)
+        for user in user_qs.iterator():
             user_email = getattr(user, app_settings.USER_MODEL_EMAIL_FIELD)
             if _unicode_ci_compare(user_email, email):
                 users.append(user)