Multiple inactive accounts with the same OpenID can bypass user_can_login() check

nr0cinu opened this issue 14 years ago · comments

Bela commented 14 years ago

show_pick_account() doesn't do any checks if the accounts are active.

Heres the patch: http://github.com/and3k/django-openid/commit/adf3022872c0914146c36478e0944fae1bf2f903