diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 7d57b45..c9cefe8 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -63,11 +63,17 @@ class AccountController < ApplicationController
       return
     else
       if request.post?
-        user = User.find_by_mail(params[:mail])
-        # user not found in db
-        (flash.now[:error] = l(:notice_account_unknown_email); return) unless user
-        # user uses an external authentification
-        (flash.now[:error] = l(:notice_can_t_change_password); return) if user.auth_source_id
+        user = User.find_by_mail(params[:mail].to_s)
+        # user not found or not active
+        unless user && user.active?
+          flash.now[:error] = l(:notice_account_unknown_email)
+          return
+        end
+        # user cannot change its password
+        unless user.change_password_allowed?
+          flash.now[:error] = l(:notice_can_t_change_password)
+          return
+        end
         # create a new token for password recovery
         token = Token.new(:user => user, :action => "recovery")
         if token.save
diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index 923c771..a30b3ba 100644
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -141,4 +141,45 @@ class AccountControllerTest < ActionController::TestCase
       end
     end
   end
+
+  def test_get_lost_password_should_display_lost_password_form
+    get :lost_password
+    assert_response :success
+    assert_select 'input[name=mail]'
+  end
+
+  def test_lost_password_for_active_user_should_create_a_token
+    assert_difference 'ActionMailer::Base.deliveries.size' do
+      assert_difference 'Token.count' do
+        with_settings :host_name => 'mydomain.foo', :protocol => 'http' do
+          post :lost_password, :mail => 'JSmith@somenet.foo'
+          assert_redirected_to '/login'
+        end
+      end
+    end
+
+    token = Token.order('id DESC').first
+    assert_equal User.find(2), token.user
+    assert_equal 'recovery', token.action
+
+    assert_select_email do
+      assert_select "a[href=?]", "http://mydomain.foo/account/lost_password?token=#{token.value}"
+    end
+  end
+
+  def test_lost_password_for_unknown_user_should_fail
+    assert_no_difference 'Token.count' do
+      post :lost_password, :mail => 'invalid@somenet.foo'
+      assert_response :success
+    end
+  end
+
+  def test_lost_password_for_non_active_user_should_fail
+    assert User.find(2).lock!
+
+    assert_no_difference 'Token.count' do
+      post :lost_password, :mail => 'JSmith@somenet.foo'
+      assert_response :success
+    end
+  end
 end