From b2280cba0f5c0cdb46462339ccc13098c03c87b4 Mon Sep 17 00:00:00 2001
From: Dan Braghis <dan.braghis@torchbox.com>
Date: Thu, 25 Jan 2018 15:09:21 +0000
Subject: [PATCH] Only allow non-active users to set password on activation
 path

---
 opentech/apply/users/views.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/opentech/apply/users/views.py b/opentech/apply/users/views.py
index a194121dd..0b7ad0a7b 100644
--- a/opentech/apply/users/views.py
+++ b/opentech/apply/users/views.py
@@ -3,6 +3,7 @@ from django.contrib.auth import get_user_model, login, update_session_auth_hash
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.forms import AdminPasswordChangeForm
 from django.contrib.auth.tokens import PasswordResetTokenGenerator
+from django.core.exceptions import PermissionDenied
 from django.shortcuts import redirect, render
 from django.template.response import TemplateResponse
 from django.urls import reverse_lazy
@@ -89,6 +90,12 @@ class ActivationView(TemplateView):
 
 
 def create_password(request):
+    """
+    A custom view for the admin password change form used for account activation.
+    """
+    if request.user.is_active:
+        raise PermissionDenied
+
     if request.method == 'POST':
         form = AdminPasswordChangeForm(request.user, request.POST)
         if form.is_valid():
-- 
GitLab