Skip to content

Commit

Permalink
Merge pull request #18459 from laperlej/reset_password_deleted_user
Browse files Browse the repository at this point in the history
[24.0] Disable password reset for deleted users [GCC2024_COFEST]
  • Loading branch information
martenson authored Jun 29, 2024
2 parents ba5e53b + 2579e81 commit 2540ab1
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/galaxy/managers/users.py
Original file line number Diff line number Diff line change
Expand Up @@ -615,7 +615,7 @@ def get_reset_token(self, trans, email):
reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User)
if not reset_user and email != email.lower():
reset_user = self._get_user_by_email_case_insensitive(trans.sa_session, email)
if reset_user:
if reset_user and not reset_user.deleted:
prt = self.app.model.PasswordResetToken(reset_user)
trans.sa_session.add(prt)
with transaction(trans.sa_session):
Expand Down
10 changes: 10 additions & 0 deletions test/unit/app/managers/test_UserManager.py
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,16 @@ def validate_send_email(frm, to, subject, body, config, html=None):
mock_unique_id.assert_called_once()
assert result is None

def test_reset_email_user_deleted(self):
self.trans.app.config.allow_user_deletion = True
self.log("should not produce the password reset email if user is deleted")
user_email = "[email protected]"
user = self.user_manager.create(email=user_email, username="nopassword")
self.user_manager.delete(user)
assert user.deleted is True
message = self.user_manager.send_reset_email(self.trans, {"email": user_email})
assert message == "Failed to produce password reset token. User not found."

def test_get_user_by_identity(self):
# return None if username/email not found
assert self.user_manager.get_user_by_identity("xyz") is None
Expand Down

0 comments on commit 2540ab1

Please sign in to comment.