#21291 closed Bug (fixed)
PasswordResetForm allows password reset for inactive users
| Reported by: | kz26 | Owned by: | Claude Paroz |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | yes | UI/UX: | no |
Description
Confirmed in master and Django 1.6b4.
The following resolves this issue:
self.users_cache = UserModel._default_manager.filter(emailiexact=email, is_active=True)
Introduced in commit https://github.com/django/django/commit/2f4a4703e1931fadf5ed81387b26cf84caf5bef9
Change History (7)
follow-up: 3 comment:1 by , 11 years ago
comment:2 by , 11 years ago
| Summary: | django.contrib.auth.forms.PasswordResetForm allows password reset for → PasswordResetForm allows password reset for inactive users |
|---|
comment:3 by , 11 years ago
Replying to EvilDMP:
Allows reset for what, exactly? Something's missing in the description!
Sorry, title fixed! Password reset emails are sent for users with is_active = False.
From the Django documentation: PasswordResetForm "Assumes that the user model has an integer primary key, has a field named email that can be used to identify the user, and a boolean field named is_active to prevent password resets for inactive users."
comment:4 by , 11 years ago
| Owner: | changed from to |
|---|---|
| Patch needs improvement: | set |
| Status: | new → assigned |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Bug |
Also note that test_inactive_user is deficient, it's missing the form.save()call.
comment:5 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Allows reset for what, exactly? Something's missing in the description!