forgot password endpoint should be for anonymous users only. Fixes #291

2026-06-27 16:10:11 +08:00 · 2015-05-02 12:11:05 -04:00
parent c7d0ea9cce
commit 4659d10c5c
2 changed files with 3 additions and 0 deletions
@@ -238,6 +238,7 @@ def confirm_email(token):
                    get_url(_security.post_login_view))


+@anonymous_user_required
 def forgot_password():
    """View function that handles a forgotten password request."""

@@ -81,6 +81,8 @@ def test_context_processors(client, app):
    def mail():
        return {'foo': 'bar'}

+    client.get('/logout')
+
    with app.mail.record_messages() as outbox:
        client.post('/reset', data=dict(email='matt@lp.com'))