Commit 183ca8fb authored by Eduardo Matos's avatar Eduardo Matos
Browse files

don't allow inactive user to recover his password

parent 49d012aa
......@@ -43,7 +43,12 @@ class PasswordRecoveryForm(forms.Form):
def clean_username_or_email(self):
username = self.cleaned_data['username_or_email']
cleaner = getattr(self, 'get_user_by_%s' % self.label_key)
self.cleaned_data['user'] = cleaner(username)
self.cleaned_data['user'] = user = cleaner(username)
if hasattr(user, 'is_active') and not user.is_active:
raise forms.ValidationError(_("Sorry, this user is inactive and "
"his password can't be recovered."))
return username
def get_user_by_username(self, username):
......@@ -80,6 +85,7 @@ class PasswordRecoveryForm(forms.Form):
code='not_found')
except User.MultipleObjectsReturned:
raise forms.ValidationError(_("Unable to find user."))
return user
......
......@@ -93,6 +93,20 @@ class FormTests(TestCase):
}, case_sensitive=False)
self.assertTrue(form.is_valid())
def test_error_if_user_is_inactive(self):
user = create_user()
if hasattr(user, 'is_active'):
user.is_active = False
user.save()
form = PasswordRecoveryForm(data={'username_or_email': user.email})
self.assertFalse(form.is_valid(), 'Password from inactive user should not be recovered')
self.assertItemsEqual(form.errors['username_or_email'],
[u"Sorry, this user is inactive and his password can't be recovered."])
def test_form_custom_search(self):
# Searching only for email does some extra validation
form = PasswordRecoveryForm(data={
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment