--- a/modules/user/user.pages.inc	Tue Dec 23 14:32:08 2008 +0100
+++ b/modules/user/user.pages.inc	Tue Dec 23 14:32:19 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: user.pages.inc,v 1.11 2008/01/08 10:35:43 goba Exp $
+// $Id: user.pages.inc,v 1.11.2.1 2008/10/08 20:12:18 goba Exp $
 
 /**
  * @file
@@ -43,6 +43,13 @@
 
 function user_pass_validate($form, &$form_state) {
   $name = trim($form_state['values']['name']);
+  
+  // Blocked accounts cannot request a new password,
+  // check provided username and email against access rules.
+  if (drupal_is_denied('user', $name) || drupal_is_denied('mail', $name)) {
+    form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));
+  }
+
   // Try to load by email.
   $account = user_load(array('mail' => $name, 'status' => 1));
   if (!$account) {
@@ -87,6 +94,12 @@
     $current = time();
     // Some redundant checks for extra security ?
     if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) {
+      // Deny one-time login to blocked accounts.
+      if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
+        drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');
+        drupal_goto();
+      }
+
       // No time out for first time login.
       if ($account->login && $current - $timestamp > $timeout) {
         drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));