Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.

Fixed #21291 -- Ensured inactive users cannot reset their passwords
Thanks kz26 for the report and the suggested fix. Refs #19758.
5f525903 · Claude Paroz · 59a88086 · 5f525903 · 5f525903
Kaydet (Commit) 5f525903 authored Eki 19, 2013 tarafından Claude Paroz
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

forms.py django/contrib/auth/forms.py +3 -2

test_forms.py django/contrib/auth/tests/test_forms.py +1 -0

No files found.
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -238,8 +238,9 @@ class PasswordResetForm(forms.Form):
        from django.core.mail import send_mail
        UserModel = get_user_model()
        email = self.cleaned_data["email"]
-        users = UserModel._default_manager.filter(email__iexact=email)
-        for user in users:
+        active_users = UserModel._default_manager.filter(
+            email__iexact=email, is_active=True)
+        for user in active_users:
            # Make sure that no email is sent to a user that actually has
            # a password marked as unusable
            if not user.has_usable_password():

--- a/django/contrib/auth/tests/test_forms.py
+++ b/django/contrib/auth/tests/test_forms.py
@@ -436,6 +436,7 @@ class PasswordResetFormTest(TestCase):
        user.save()
        form = PasswordResetForm({'email': email})
        self.assertTrue(form.is_valid())
+        form.save()
        self.assertEqual(len(mail.outbox), 0)

    def test_unusable_password(self):