From e69d7b2f8b32369d754aea336102f5dfc2254f1c Mon Sep 17 00:00:00 2001 From: Jonathan Laperle Date: Fri, 28 Jun 2024 08:01:25 -0400 Subject: [PATCH 1/4] Prevent deleted users from reseting password --- lib/galaxy/managers/users.py | 2 ++ test/unit/app/managers/test_UserManager.py | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/lib/galaxy/managers/users.py b/lib/galaxy/managers/users.py index 59dc13184c3b..18f7adf40123 100644 --- a/lib/galaxy/managers/users.py +++ b/lib/galaxy/managers/users.py @@ -613,6 +613,8 @@ def send_reset_email(self, trans, payload, **kwd): def get_reset_token(self, trans, email): reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User) + if reset_user.deleted: + return None, None if not reset_user and email != email.lower(): reset_user = self._get_user_by_email_case_insensitive(trans.sa_session, email) if reset_user: diff --git a/test/unit/app/managers/test_UserManager.py b/test/unit/app/managers/test_UserManager.py index 871daac25c8f..c160a39bd2da 100644 --- a/test/unit/app/managers/test_UserManager.py +++ b/test/unit/app/managers/test_UserManager.py @@ -232,6 +232,16 @@ def validate_send_email(frm, to, subject, body, config, html=None): mock_unique_id.assert_called_once() assert result is None + def test_reset_email_user_deleted(self): + self.trans.app.config.allow_user_deletion = True + self.log("should not produce the password reset email if user is deleted") + user_email = "user@nopassword.com" + user = self.user_manager.create(email=user_email, username="nopassword") + self.user_manager.delete(user) + assert user.deleted is True + message = self.user_manager.send_reset_email(self.trans, {"email": user_email}) + assert message == "Failed to produce password reset token. User not found." + def test_get_user_by_identity(self): # return None if username/email not found assert self.user_manager.get_user_by_identity("xyz") is None From a475dfd8d871e8ddac2db6c9774a4563ffa5203c Mon Sep 17 00:00:00 2001 From: Jonathan Laperle Date: Fri, 28 Jun 2024 12:10:52 -0400 Subject: [PATCH 2/4] Update lib/galaxy/managers/users.py Co-authored-by: John Davis --- lib/galaxy/managers/users.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/galaxy/managers/users.py b/lib/galaxy/managers/users.py index 18f7adf40123..82e949b34ff4 100644 --- a/lib/galaxy/managers/users.py +++ b/lib/galaxy/managers/users.py @@ -613,7 +613,7 @@ def send_reset_email(self, trans, payload, **kwd): def get_reset_token(self, trans, email): reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User) - if reset_user.deleted: + if reset_user and reset_user.deleted: return None, None if not reset_user and email != email.lower(): reset_user = self._get_user_by_email_case_insensitive(trans.sa_session, email) From beb705428af8c493a499141645017b41c5311ba5 Mon Sep 17 00:00:00 2001 From: Jonathan Laperle Date: Fri, 28 Jun 2024 12:50:05 -0400 Subject: [PATCH 3/4] fix indentation --- test/unit/app/managers/test_UserManager.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/test/unit/app/managers/test_UserManager.py b/test/unit/app/managers/test_UserManager.py index c160a39bd2da..b8286838d103 100644 --- a/test/unit/app/managers/test_UserManager.py +++ b/test/unit/app/managers/test_UserManager.py @@ -233,14 +233,14 @@ def validate_send_email(frm, to, subject, body, config, html=None): assert result is None def test_reset_email_user_deleted(self): - self.trans.app.config.allow_user_deletion = True - self.log("should not produce the password reset email if user is deleted") - user_email = "user@nopassword.com" - user = self.user_manager.create(email=user_email, username="nopassword") - self.user_manager.delete(user) - assert user.deleted is True - message = self.user_manager.send_reset_email(self.trans, {"email": user_email}) - assert message == "Failed to produce password reset token. User not found." + self.trans.app.config.allow_user_deletion = True + self.log("should not produce the password reset email if user is deleted") + user_email = "user@nopassword.com" + user = self.user_manager.create(email=user_email, username="nopassword") + self.user_manager.delete(user) + assert user.deleted is True + message = self.user_manager.send_reset_email(self.trans, {"email": user_email}) + assert message == "Failed to produce password reset token. User not found." def test_get_user_by_identity(self): # return None if username/email not found From 2579e8119688f47bae148daa0f49084377ea1cf5 Mon Sep 17 00:00:00 2001 From: Jonathan Laperle Date: Sat, 29 Jun 2024 04:33:54 -0400 Subject: [PATCH 4/4] combine user exist check with user deleted check --- lib/galaxy/managers/users.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/galaxy/managers/users.py b/lib/galaxy/managers/users.py index 82e949b34ff4..2196857cf479 100644 --- a/lib/galaxy/managers/users.py +++ b/lib/galaxy/managers/users.py @@ -613,11 +613,9 @@ def send_reset_email(self, trans, payload, **kwd): def get_reset_token(self, trans, email): reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User) - if reset_user and reset_user.deleted: - return None, None if not reset_user and email != email.lower(): reset_user = self._get_user_by_email_case_insensitive(trans.sa_session, email) - if reset_user: + if reset_user and not reset_user.deleted: prt = self.app.model.PasswordResetToken(reset_user) trans.sa_session.add(prt) with transaction(trans.sa_session):