Prevent deleted users from logging in

h/schemas/forms/accounts/login.py

@@ -54,7 +54,7 @@ def validator(self, node, value):
             )
             raise err from exc
 
-        if user is None:
+        if user is None or user.deleted:
             err = colander.Invalid(node)
             err["username"] = _("User does not exist.")
             raise err

tests/unit/h/schemas/forms/accounts/login_test.py

@@ -63,6 +63,19 @@ def test_invalid_with_inactive_user(self, pyramid_csrf_request, user_service):
         assert "username" in errors
         assert "activate your account" in errors["username"]
 
+    def test_invalid_with_deleted_user(
+        self, pyramid_csrf_request, user_service, factories
+    ):
+        schema = LoginSchema().bind(request=pyramid_csrf_request)
+        user_service.fetch_for_login.return_value = factories.User.build(deleted=True)
+
+        with pytest.raises(colander.Invalid) as exc:
+            schema.deserialize({"username": "jeannie", "password": "cake"})
+
+        errors = exc.value.asdict()
+        assert "username" in errors
+        assert "does not exist" in errors["username"]
+
     def test_invalid_with_unknown_user(self, pyramid_csrf_request, user_service):
         schema = LoginSchema().bind(request=pyramid_csrf_request)
         user_service.fetch_for_login.return_value = None