Fixed #9213 - Added check to prevent inactive users from resetting their password. Thanks to John Scott for report and draft patch, and Evgeny Fadeev for final patch with test.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15805 bcc190cf-cafb-0310-a4f2-bffc1f526a37

django/contrib/auth/forms.py

@@ -109,10 +109,13 @@ class PasswordResetForm(forms.Form):
 
     def clean_email(self):
         """
-        Validates that a user exists with the given e-mail address.
+        Validates that an active user exists with the given e-mail address.
         """
         email = self.cleaned_data["email"]
-        self.users_cache = User.objects.filter(email__iexact=email)
+        self.users_cache = User.objects.filter(
+                                email__iexact=email,
+                                is_active=True
+                            )
         if len(self.users_cache) == 0:
             raise forms.ValidationError(_("That e-mail address doesn't have an associated user account. Are you sure you've registered?"))
         return email