Multiple inactive accounts with the same OpenID can bypass user_can_login() check
nr0cinu opened this issue · comments
Bela commented
show_pick_account() doesn't do any checks if the accounts are active.
Heres the patch: http://github.com/and3k/django-openid/commit/adf3022872c0914146c36478e0944fae1bf2f903