misc: don't display password reset view when disabled (#27318)

src/authentic2/profile_views.py

@@ -3,12 +3,13 @@ import logging
 from django.views.generic import FormView
 from django.contrib import messages
 from django.contrib.auth import get_user_model, REDIRECT_FIELD_NAME, authenticate
+from django.http import Http404
 from django.utils.translation import ugettext as _
 from django.utils.http import urlsafe_base64_decode
 
 from .compat import default_token_generator
 from .registration_backend.forms import SetPasswordForm
-from . import cbv, profile_forms, utils, hooks
+from . import app_settings, cbv, profile_forms, utils, hooks
 
 
 class PasswordResetView(cbv.NextURLViewMixin, FormView):
@@ -30,6 +31,8 @@ class PasswordResetView(cbv.NextURLViewMixin, FormView):
 
     def get_context_data(self, **kwargs):
         ctx = super(PasswordResetView, self).get_context_data(**kwargs)
+        if app_settings.A2_USER_CAN_RESET_PASSWORD is False:
+            raise Http404('Password reset is not allowed.')
         ctx['title'] = _('Password reset')
         return ctx
 

tests/test_password_reset.py

@@ -1,4 +1,5 @@
 from django.core.urlresolvers import reverse
+from django.test.utils import override_settings
 
 import utils
 
@@ -42,6 +43,9 @@ def test_view(app, simple_user, mailoutbox):
     # verify next_url was kept
     assert resp['Location'].endswith('/moncul/')
 
+    with override_settings(A2_USER_CAN_RESET_PASSWORD=False):
+        url = reverse('password_reset') + '?next=/moncul/'
+        app.get(url, status=404)
 
 def test_user_filter(app, simple_user, mailoutbox, settings):
     settings.A2_USER_FILTER = {'username': 'xxx'}  # will not match simple_user