From d9d48f4291baf7fb3b154151a3af8f550e53a5fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Sun, 14 Oct 2018 19:24:47 +0200
Subject: [PATCH] misc: don't display password reset view when disabled
 (#27318)

---
 src/authentic2/profile_views.py | 5 ++++-
 tests/test_password_reset.py    | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/authentic2/profile_views.py b/src/authentic2/profile_views.py
index 3c71490b..8739ced9 100644
--- a/src/authentic2/profile_views.py
+++ b/src/authentic2/profile_views.py
@@ -3,12 +3,13 @@ import logging
 from django.views.generic import FormView
 from django.contrib import messages
 from django.contrib.auth import get_user_model, REDIRECT_FIELD_NAME, authenticate
+from django.http import Http404
 from django.utils.translation import ugettext as _
 from django.utils.http import urlsafe_base64_decode
 
 from .compat import default_token_generator
 from .registration_backend.forms import SetPasswordForm
-from . import cbv, profile_forms, utils, hooks
+from . import app_settings, cbv, profile_forms, utils, hooks
 
 
 class PasswordResetView(cbv.NextURLViewMixin, FormView):
@@ -30,6 +31,8 @@ class PasswordResetView(cbv.NextURLViewMixin, FormView):
 
     def get_context_data(self, **kwargs):
         ctx = super(PasswordResetView, self).get_context_data(**kwargs)
+        if app_settings.A2_USER_CAN_RESET_PASSWORD is False:
+            raise Http404('Password reset is not allowed.')
         ctx['title'] = _('Password reset')
         return ctx
 
diff --git a/tests/test_password_reset.py b/tests/test_password_reset.py
index 3feb5494..b3a1a1bb 100644
--- a/tests/test_password_reset.py
+++ b/tests/test_password_reset.py
@@ -1,4 +1,5 @@
 from django.core.urlresolvers import reverse
+from django.test.utils import override_settings
 
 import utils
 
@@ -42,6 +43,9 @@ def test_view(app, simple_user, mailoutbox):
     # verify next_url was kept
     assert resp['Location'].endswith('/moncul/')
 
+    with override_settings(A2_USER_CAN_RESET_PASSWORD=False):
+        url = reverse('password_reset') + '?next=/moncul/'
+        app.get(url, status=404)
 
 def test_user_filter(app, simple_user, mailoutbox, settings):
     settings.A2_USER_FILTER = {'username': 'xxx'}  # will not match simple_user
-- 
2.19.1