Forgot password form should not validate if user has not confirmed their email address yet. Fixes pallets-eco#298

Matt Wright · Matt Wright · commit 3d7b97ac3150 · 2014-09-17T11:21:31.000-04:00
diff --git a/flask_security/forms.py b/flask_security/forms.py
@@ -175,6 +175,14 @@ class ForgotPasswordForm(Form, UserEmailFormMixin):
 
     submit = SubmitField(get_form_field_label('recover_password'))
 
+    def validate(self):
+        if not super(ForgotPasswordForm, self).validate():
+            return False
+        if requires_confirmation(self.user):
+            self.email.errors.append(get_message('CONFIRMATION_REQUIRED')[0])
+            return False
+        return True
+
 
 class PasswordlessLoginForm(Form, UserEmailFormMixin):
     """The passwordless login form"""
diff --git a/tests/test_confirmable.py b/tests/test_confirmable.py
@@ -147,3 +147,15 @@ def test_confirmation_different_user_when_logged_in(client, get_message):
     response = client.get('/confirm/' + token2, follow_redirects=True)
     assert get_message('EMAIL_CONFIRMED') in response.data
     assert b'Hello lady@lp.com' in response.data
+
+
+@pytest.mark.registerable()
+@pytest.mark.settings(recoverable=True)
+def test_cannot_reset_password_when_email_is_not_confirmed(client, get_message):
+    email = 'dude@lp.com'
+
+    data = dict(email=email, password='password', next='')
+    response = client.post('/register', data=data, follow_redirects=True)
+
+    response = client.post('/reset', data=dict(email=email), follow_redirects=True)
+    assert get_message('CONFIRMATION_REQUIRED') in response.data
