From 7c2acc34c95bb3b6e9cef5ab8a77c1126b9f7738 Mon Sep 17 00:00:00 2001
From: Evghenii Goncearov <evggoncharov@gmail.com>
Date: Sun, 11 Aug 2019 17:29:26 +0300
Subject: [PATCH] Dont send password reset link to disabled users (#2631)

* Dont send password reset link to disabled users

* Update email subject

* Update blocked email text.

* Update blocked email text (plain text version).

* Remove debug print.
---
 redash/authentication/account.py            |  8 +++++++
 redash/handlers/authentication.py           |  6 +++++-
 redash/templates/emails/reset_disabled.html | 10 +++++++++
 redash/templates/emails/reset_disabled.txt  |  3 +++
 tests/test_authentication.py                | 23 +++++++++++++++++++++
 5 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 redash/templates/emails/reset_disabled.html
 create mode 100644 redash/templates/emails/reset_disabled.txt

diff --git a/redash/authentication/account.py b/redash/authentication/account.py
index 54a8ae6551..16bd90c811 100644
--- a/redash/authentication/account.py
+++ b/redash/authentication/account.py
@@ -71,3 +71,11 @@ def send_password_reset_email(user):
 
     send_mail.delay([user.email], subject, html_content, text_content)
     return reset_link
+
+  
+def send_user_disabled_email(user):
+    html_content = render_template('emails/reset_disabled.html', user=user)
+    text_content = render_template('emails/reset_disabled.txt', user=user)
+    subject = u"Your Redash account is disabled"
+
+    send_mail.delay([user.email], subject, html_content, text_content)
diff --git a/redash/handlers/authentication.py b/redash/handlers/authentication.py
index ec69a80c5c..a698dfb496 100644
--- a/redash/handlers/authentication.py
+++ b/redash/handlers/authentication.py
@@ -7,6 +7,7 @@
 from redash.authentication import current_org, get_login_url, get_next_path
 from redash.authentication.account import (BadSignature, SignatureExpired,
                                            send_password_reset_email,
+                                           send_user_disabled_email,
                                            send_verify_email,
                                            validate_token)
 from redash.handlers import routes
@@ -118,7 +119,10 @@ def forgot_password(org_slug=None):
         try:
             org = current_org._get_current_object()
             user = models.User.get_by_email_and_org(email, org)
-            send_password_reset_email(user)
+            if user.is_disabled:
+                send_user_disabled_email(user)
+            else:
+                send_password_reset_email(user)
         except NoResultFound:
             logging.error("No user found for forgot password: %s", email)
 
diff --git a/redash/templates/emails/reset_disabled.html b/redash/templates/emails/reset_disabled.html
new file mode 100644
index 0000000000..5b7a05767e
--- /dev/null
+++ b/redash/templates/emails/reset_disabled.html
@@ -0,0 +1,10 @@
+{% extends "emails/layout.html" %}
+
+{% block content %}
+
+<p class="intercom-align-left" style="line-height: 1.5; margin: 0 0 17px; text-align: left !important" align="left">Hi {{ user.name }},</p>
+<h2 class="intercom-align-left" style="color: #282F33; font-size: 18px; font-weight: bold; margin-bottom: 7px; margin-top: 30px; text-align: left !important" align="left">
+        You asked for a password reset email, but your Redash account is disabled and therefore can't reset the password. Please contact your Redash admin for enabling again your account.
+</h2>
+
+{% endblock %}
diff --git a/redash/templates/emails/reset_disabled.txt b/redash/templates/emails/reset_disabled.txt
new file mode 100644
index 0000000000..7a018ad115
--- /dev/null
+++ b/redash/templates/emails/reset_disabled.txt
@@ -0,0 +1,3 @@
+Hi {{ user.name }},
+
+You asked for a password reset email, but your Redash account is disabled and therefore can't reset the password. Please contact your Redash admin for enabling again your account.
diff --git a/tests/test_authentication.py b/tests/test_authentication.py
index 192bb53316..a3915d8f85 100644
--- a/tests/test_authentication.py
+++ b/tests/test_authentication.py
@@ -319,3 +319,26 @@ def test_remote_login_custom_header(self):
         })
 
         self.assert_correct_user_attributes(self.get_test_user())
+
+
+class TestUserForgotPassword(BaseTestCase):
+    def test_user_should_receive_password_reset_link(self):
+        user = self.factory.create_user()
+
+        with patch('redash.handlers.authentication.send_password_reset_email') as send_password_reset_email_mock:
+            response = self.post_request('/forgot', org=user.org, data={'email': user.email})
+            self.assertEqual(response.status_code, 200)
+            send_password_reset_email_mock.assert_called_with(user)
+
+    def test_disabled_user_should_not_receive_password_reset_link(self):
+        user = self.factory.create_user()
+        user.disable()
+        self.db.session.add(user)
+        self.db.session.commit()
+
+        with patch('redash.handlers.authentication.send_password_reset_email') as send_password_reset_email_mock,\
+                patch('redash.handlers.authentication.send_user_disabled_email') as send_user_disabled_email_mock:
+            response = self.post_request('/forgot', org=user.org, data={'email': user.email})
+            self.assertEqual(response.status_code, 200)
+            send_password_reset_email_mock.assert_not_called()
+            send_user_disabled_email_mock.assert_called_with(user)