diff options
author | Claude Paroz <claude@2xlibre.net> | 2013-10-19 10:40:20 +0200 |
---|---|---|
committer | Claude Paroz <claude@2xlibre.net> | 2013-10-19 10:53:43 +0200 |
commit | 0c850e28858016b5890ae83a6ec6880614b306a2 (patch) | |
tree | da16f6255292acfba9744f1915240225b32772e6 | |
parent | 742585b59cb01dd04aa86b623f83caae7e9295da (diff) | |
download | django-0c850e28858016b5890ae83a6ec6880614b306a2.tar.gz |
[1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their passwords
Thanks kz26 for the report and the suggested fix. Refs #19758.
Backport of 5f5259036 from master.
-rw-r--r-- | django/contrib/auth/forms.py | 5 | ||||
-rw-r--r-- | django/contrib/auth/tests/test_forms.py | 1 |
2 files changed, 4 insertions, 2 deletions
diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index eabb9da0b9..081d9e558c 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -228,8 +228,9 @@ class PasswordResetForm(forms.Form): from django.core.mail import send_mail UserModel = get_user_model() email = self.cleaned_data["email"] - users = UserModel._default_manager.filter(email__iexact=email) - for user in users: + active_users = UserModel._default_manager.filter( + email__iexact=email, is_active=True) + for user in active_users: # Make sure that no email is sent to a user that actually has # a password marked as unusable if not user.has_usable_password(): diff --git a/django/contrib/auth/tests/test_forms.py b/django/contrib/auth/tests/test_forms.py index 85b95f71df..ee2c1097fc 100644 --- a/django/contrib/auth/tests/test_forms.py +++ b/django/contrib/auth/tests/test_forms.py @@ -401,6 +401,7 @@ class PasswordResetFormTest(TestCase): user.save() form = PasswordResetForm({'email': email}) self.assertTrue(form.is_valid()) + form.save() self.assertEqual(len(mail.outbox), 0) def test_unusable_password(self): |