[1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.

Backport of 5f5259036 from master.

2 files changed, 4 insertions, 2 deletions

diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
index eabb9da0b9..081d9e558c 100644
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@@ -228,8 +228,9 @@ class PasswordResetForm(forms.Form):
         from django.core.mail import send_mail
         UserModel = get_user_model()
         email = self.cleaned_data["email"]
-        users = UserModel._default_manager.filter(email__iexact=email)
-        for user in users:
+        active_users = UserModel._default_manager.filter(
+            email__iexact=email, is_active=True)
+        for user in active_users:
             # Make sure that no email is sent to a user that actually has
             # a password marked as unusable
             if not user.has_usable_password():
diff --git a/django/contrib/auth/tests/test_forms.py b/django/contrib/auth/tests/test_forms.py
index 85b95f71df..ee2c1097fc 100644
--- a/django/contrib/auth/tests/test_forms.py
+++ b/django/contrib/auth/tests/test_forms.py
@@ -401,6 +401,7 @@ class PasswordResetFormTest(TestCase):
         user.save()
         form = PasswordResetForm({'email': email})
         self.assertTrue(form.is_valid())
+        form.save()
         self.assertEqual(len(mail.outbox), 0)
 
     def test_unusable_password(self):