fix: don't register reset my password when not on AUTH_DB (#2384)

dpgaspar · web-flow · commit a942a9cc5775 · 2025-08-22T15:44:16.000+01:00
* fix: don't register reset my password when not on AUTH_DB

* fix: don't register reset my password when not on AUTH_DB

* add test

* fix lint
diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py
@@ -813,13 +813,13 @@ def register_views(self):
             if self.registeruser_view:
                 self.appbuilder.add_view_no_menu(self.registeruser_view)
 
-        self.appbuilder.add_view_no_menu(self.resetpasswordview())
-        self.appbuilder.add_view_no_menu(self.resetmypasswordview())
         self.appbuilder.add_view_no_menu(self.userinfoeditview())
 
         if self.auth_type == AUTH_DB:
             self.user_view = self.userdbmodelview
             self.auth_view = self.authdbview()
+            self.appbuilder.add_view_no_menu(self.resetpasswordview())
+            self.appbuilder.add_view_no_menu(self.resetmypasswordview())
 
         elif self.auth_type == AUTH_LDAP:
             self.user_view = self.userldapmodelview
diff --git a/tests/security/test_auth_oauth.py b/tests/security/test_auth_oauth.py
@@ -695,6 +695,26 @@ def test_oauth_user_info_auth0(self):
             },
         )
 
+    def test_reset_password_view_not_registered_with_oauth(self):
+        """
+        OAUTH: test that ResetMyPasswordView is not registered when using OAuth
+        authentication
+        """
+        self.appbuilder = AppBuilder(self.app, self.db.session)
+
+        for view in self.appbuilder.baseviews:
+            if view.__class__.__name__ == "ResetMyPasswordView":
+                self.fail(
+                    "ResetMyPasswordView should not be registered when using OAuth "
+                    "authentication"
+                )
+
+        # Also verify that the view is not accessible via URL
+        with self.app.test_client() as client:
+            response = client.get("/resetmypassword/form")
+            # Should return 404 since the view is not registered
+            self.assertEqual(response.status_code, 404)
+
 
 class OAuthAuthentikTestCase(unittest.TestCase):
     def setUp(self):
