Code

Opened 6 months ago

Closed 6 months ago

Last modified 7 weeks ago

#21291 closed Bug (fixed)

PasswordResetForm allows password reset for inactive users

Reported by: kz26 Owned by: claudep
Component: contrib.auth Version: master
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: yes UI/UX: no

Description

Confirmed in master and Django 1.6b4.

The following resolves this issue:
self.users_cache = UserModel._default_manager.filter(emailiexact=email, is_active=True)

Introduced in commit https://github.com/django/django/commit/2f4a4703e1931fadf5ed81387b26cf84caf5bef9

Attachments (0)

Change History (7)

comment:1 follow-up: Changed 6 months ago by EvilDMP

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Allows reset for what, exactly? Something's missing in the description!

comment:2 Changed 6 months ago by kz26

  • Summary changed from django.contrib.auth.forms.PasswordResetForm allows password reset for to PasswordResetForm allows password reset for inactive users

comment:3 in reply to: ↑ 1 Changed 6 months ago by kz26

Replying to EvilDMP:

Allows reset for what, exactly? Something's missing in the description!

Sorry, title fixed! Password reset emails are sent for users with is_active = False.

From the Django documentation: PasswordResetForm "Assumes that the user model has an integer primary key, has a field named email that can be used to identify the user, and a boolean field named is_active to prevent password resets for inactive users."

comment:4 Changed 6 months ago by claudep

  • Owner changed from nobody to claudep
  • Patch needs improvement set
  • Status changed from new to assigned
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Uncategorized to Bug

Also note that test_inactive_user is deficient, it's missing the form.save()call.

comment:5 Changed 6 months ago by Claude Paroz <claude@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 5f52590368063fc8284e23be492d83ba751f66bf:

Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.

comment:6 Changed 6 months ago by Claude Paroz <claude@…>

In 0c850e28858016b5890ae83a6ec6880614b306a2:

[1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their passwords

Thanks kz26 for the report and the suggested fix. Refs #19758.

Backport of 5f5259036 from master.

comment:7 Changed 7 weeks ago by frasern

For reference, changes for this ticket introduced new issue #22192.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.