don't allow inactive user to recover his password

password_reset/forms.py

@@ -43,7 +43,12 @@ class PasswordRecoveryForm(forms.Form):
     def clean_username_or_email(self):
         username = self.cleaned_data['username_or_email']
         cleaner = getattr(self, 'get_user_by_%s' % self.label_key)
-        self.cleaned_data['user'] = cleaner(username)
+        self.cleaned_data['user'] = user = cleaner(username)
+
+        if hasattr(user, 'is_active') and not user.is_active:
+            raise forms.ValidationError(_("Sorry, this user is inactive and "
+                                          "his password can't be recovered."))
+
         return username
 
     def get_user_by_username(self, username):
@@ -80,6 +85,7 @@ class PasswordRecoveryForm(forms.Form):
                                         code='not_found')
         except User.MultipleObjectsReturned:
             raise forms.ValidationError(_("Unable to find user."))
+
         return user
 
 

password_reset/tests/tests.py

@@ -93,6 +93,20 @@ class FormTests(TestCase):
         }, case_sensitive=False)
         self.assertTrue(form.is_valid())
 
+    def test_error_if_user_is_inactive(self):
+        user = create_user()
+
+        if hasattr(user, 'is_active'):
+            user.is_active = False
+            user.save()
+
+            form = PasswordRecoveryForm(data={'username_or_email': user.email})
+
+            self.assertFalse(form.is_valid(), 'Password from inactive user should not be recovered')
+
+            self.assertItemsEqual(form.errors['username_or_email'],
+                [u"Sorry, this user is inactive and his password can't be recovered."])
+
     def test_form_custom_search(self):
         # Searching only for email does some extra validation
         form = PasswordRecoveryForm(data={