Prevent deleted users from logging in

seanh · seanh · commit a8f8bd3c7736 · 2024-05-22T17:42:19.000+01:00
diff --git a/h/schemas/forms/accounts/login.py b/h/schemas/forms/accounts/login.py
@@ -54,7 +54,7 @@ def validator(self, node, value):
             )
             raise err from exc
 
-        if user is None:
+        if user is None or user.deleted:
             err = colander.Invalid(node)
             err["username"] = _("User does not exist.")
             raise err
diff --git a/tests/unit/h/schemas/forms/accounts/login_test.py b/tests/unit/h/schemas/forms/accounts/login_test.py
@@ -63,6 +63,19 @@ def test_invalid_with_inactive_user(self, pyramid_csrf_request, user_service):
         assert "username" in errors
         assert "activate your account" in errors["username"]
 
+    def test_invalid_with_deleted_user(
+        self, pyramid_csrf_request, user_service, factories
+    ):
+        schema = LoginSchema().bind(request=pyramid_csrf_request)
+        user_service.fetch_for_login.return_value = factories.User.build(deleted=True)
+
+        with pytest.raises(colander.Invalid) as exc:
+            schema.deserialize({"username": "jeannie", "password": "cake"})
+
+        errors = exc.value.asdict()
+        assert "username" in errors
+        assert "does not exist" in errors["username"]
+
     def test_invalid_with_unknown_user(self, pyramid_csrf_request, user_service):
         schema = LoginSchema().bind(request=pyramid_csrf_request)
         user_service.fetch_for_login.return_value = None

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ def validator(self, node, value):`
`54`	`54`	`)`
`55`	`55`	`raise err from exc`
`56`	`56`
`57`		`- if user is None:`
	`57`	`+ if user is None or user.deleted:`
`58`	`58`	`err = colander.Invalid(node)`
`59`	`59`	`err["username"] = _("User does not exist.")`
`60`	`60`	`raise err`