djoser
djoser copied to clipboard
Cannot reset inactive user password
Assuming it's a small bug or maybe it is an intentional feature.
I spent half a day thinking reset password email did not work. After some digging I found that actually if a user is not active, then they will never get an email.
In views.py we have
@action(["post"], detail=False)
def reset_password(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
user = serializer.get_user()
if user:
context = {"user": user}
to = [get_user_email(user)]
settings.EMAIL.password_reset(self.request, context).send(to)
return Response(status=status.HTTP_204_NO_CONTENT)
The main culprit being this line. user = serializer.get_user(). It will always only look for actives users.
In seriaiizers.py we have
class UserFunctionsMixin:
def get_user(self, is_active=True):
try:
user = User._default_manager.get(
is_active=is_active,
**{self.email_field: self.data.get(self.email_field, "")},
)
if user.has_usable_password():
return user
except User.DoesNotExist:
pass
if (
settings.PASSWORD_RESET_SHOW_EMAIL_NOT_FOUND
or settings.USERNAME_RESET_SHOW_EMAIL_NOT_FOUND
):
self.fail("email_not_found")
My site flow is that a user can register and then log in to resend activation (they are blocked until activation). But to get to this point they need to remember the password of course if they do not activate straight away (or fail to get the email). I can handle flow differently but was hoping for comment before I rewrite it all.