Prevent deleted users from reseting password

lib/galaxy/managers/users.py

@@ -613,6 +613,8 @@ def send_reset_email(self, trans, payload, **kwd):
 
     def get_reset_token(self, trans, email):
         reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User)
+        if reset_user.deleted:
+            return None, None
         if not reset_user and email != email.lower():
             reset_user = self._get_user_by_email_case_insensitive(trans.sa_session, email)
         if reset_user:

test/unit/app/managers/test_UserManager.py

@@ -232,6 +232,16 @@ def validate_send_email(frm, to, subject, body, config, html=None):
                 mock_unique_id.assert_called_once()
         assert result is None
 
+    def test_reset_email_user_deleted(self):
+            self.trans.app.config.allow_user_deletion = True
+            self.log("should not produce the password reset email if user is deleted")
+            user_email = "[email protected]"
+            user = self.user_manager.create(email=user_email, username="nopassword")
+            self.user_manager.delete(user)
+            assert user.deleted is True
+            message = self.user_manager.send_reset_email(self.trans, {"email": user_email})
+            assert message == "Failed to produce password reset token. User not found."
+
     def test_get_user_by_identity(self):
         # return None if username/email not found
         assert self.user_manager.get_user_by_identity("xyz") is None