id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23409	PasswordResetForm should not exclude users with unusable passwords	Carl Meyer	nobody	"Currently `django.contrib.auth.PasswordResetForm` will (silently) not send a password reset email to any user who has an unusable password set. Additionally, due to the structure of the code, its not possible to subclass `PasswordResetForm` to change this behavior without copying the entire 40-line `save()` method.

This behavior was introduced in #14674, on the theory that a user with an unusable password probably comes from some external authentication source (e.g. LDAP), and should not be allowed to reset their password and then bypass the external authentication source.

That's a reasonable policy for some situations, but there are many other reasons why one might set an unusable password (e.g. when creating a user account for someone else), and it's not at all obvious that ""unusable password"" should always imply ""unable to reset password.""

If I could go back in time, I would argue that #14674 should never have been committed, but since it was (and there have been several Django releases since), I think the default behavior should probably be left as-is for backwards-compatibility reasons.

However, I think it should be easy to subclass `PasswordResetForm` and change this policy. I will submit a pull request that extracts a `def get_users(self, email):` method of `PasswordResetForm`, whose responsibility it is, given an email address, to return the matching users who should receive a password-reset link.
"	New feature	closed	contrib.auth	1.7	Normal	fixed			Unreviewed	1	0	0	0	0	0