From 65b74d04835e0e20589fe999e27509941b2b3326 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Mon, 13 Nov 2023 12:42:10 +0100
Subject: [PATCH] Do not allow password reset for disabled users

---
 src/pretix/control/views/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pretix/control/views/auth.py b/src/pretix/control/views/auth.py
index 084027c500..5600b6b147 100644
--- a/src/pretix/control/views/auth.py
+++ b/src/pretix/control/views/auth.py
@@ -266,7 +266,7 @@ class Forgot(TemplateView):
             has_redis = settings.HAS_REDIS
 
             try:
-                user = User.objects.get(email__iexact=email)
+                user = User.objects.get(is_active=True, email__iexact=email)
 
                 if has_redis:
                     from django_redis import get_redis_connection
@@ -330,7 +330,7 @@ class Recover(TemplateView):
         if request.user.is_authenticated:
             return redirect(request.GET.get("next", 'control:index'))
         try:
-            user = User.objects.get(id=self.request.GET.get('id'), auth_backend='native')
+            user = User.objects.get(id=self.request.GET.get('id'), is_active=True, auth_backend='native')
         except User.DoesNotExist:
             return self.invalid('unknownuser')
         if not default_token_generator.check_token(user, self.request.GET.get('token')):