Merge pull request #1459 from bookwyrm-social/password-reset

Prevent password reset for inactive users

bookwyrm/tests/views/test_password.py

@@ -43,12 +43,14 @@ class PasswordViews(TestCase):
     def test_password_reset_request_post(self):
         """send 'em an email"""
         request = self.factory.post("", {"email": "aa@bb.ccc"})
+        request.user = self.anonymous_user
         view = views.PasswordResetRequest.as_view()
         resp = view(request)
         self.assertEqual(resp.status_code, 200)
         resp.render()
 
         request = self.factory.post("", {"email": "mouse@mouse.com"})
+        request.user = self.anonymous_user
         with patch("bookwyrm.emailing.send_email.delay"):
             resp = view(request)
         resp.render()

bookwyrm/views/password.py

@@ -27,7 +27,9 @@ class PasswordResetRequest(View):
         """create a password reset token"""
         email = request.POST.get("email")
         try:
-            user = models.User.objects.get(email=email, email__isnull=False)
+            user = models.User.viewer_aware_objects(request.user).get(
+                email=email, email__isnull=False
+            )
         except models.User.DoesNotExist:
             data = {"error": _("No user with that email address was found.")}
             return TemplateResponse(request, "password_reset_request.html", data)