Unverified Commit b183c55f authored Jul 05, 2024 by Martin Cech Committed by GitHub Jul 05, 2024

Merge pull request #18479 from ahmedhamidawan/prevent_user_account_queryable_on_reset

[24.0] Return generic message for password reset email

parents 58c55d4a 839fd0c5

lib/galaxy/managers/users.py

+3 −2

Original line number	Diff line number	Diff line
		@@ -608,8 +608,9 @@ class UserManager(base.ModelManager, deletable.PurgableManagerMixin):
		except Exception as e:
		log.debug(body)
		return f"Failed to submit email. Please contact the administrator: {util.unicodify(e)}"
		else:
		return "Failed to produce password reset token. User not found."
		if not reset_user:
		log.warning(f"Failed to produce password reset token. User with email '{email}' not found.")
		return None

		def get_reset_token(self, trans, email):
		reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User)

lib/galaxy/webapps/galaxy/controllers/user.py

+1 −1

Original line number	Diff line number	Diff line
		@@ -342,7 +342,7 @@ class User(BaseUIController, UsesFormDefinitionsMixin):
		payload = payload or {}
		if message := self.user_manager.send_reset_email(trans, payload):
		return self.message_exception(trans, message)
		return {"message": "Reset link has been sent to your email."}
		return {"message": "If an account exists for this email address a confirmation email will be dispatched."}

		def __get_redirect_url(self, redirect):
		if not redirect or redirect == "None":

test/unit/app/managers/test_UserManager.py

+1 −1

Original line number	Diff line number	Diff line
		@@ -240,7 +240,7 @@ class TestUserManager(BaseTestCase):
		self.user_manager.delete(user)
		assert user.deleted is True
		message = self.user_manager.send_reset_email(self.trans, {"email": user_email})
		assert message == "Failed to produce password reset token. User not found."
		assert message is None

		def test_get_user_by_identity(self):
		# return None if username/email not found