Source

django-registration / BRANCH_CHANGES.txt

Full commit
``is_active`` is no longer used to determine whether an account as
been activated. Instead, inactive accounts are given an "unusable"
password (see ``django.contrib.auth.models.UNUSABLE_PASSWORD``), while
the registration profile stores the actual password chosen by the user.
Once the user activates the account, the user is assign his password,
and the registration profile record subsequently deleted.

These changes make it easy to use very much the same process to implement
a "password reset" functionality. If the user confirms the password change
via email, the new password is applied, otherwise it is discarded during
the cleanup.

The cleanup process then will only delete user accounts that do not have
a password set AND an ``is_active`` of False.

Finally, the ``User`` model is monkeypatched a new ``email_confirmed``
field that is ``False`` by default and set to ``True`` during activation.
This makes it possible to use the activation process to verify email
addresses, while still keeping unconfirmed accounts usuable as well.