Backport 1.9.3

yoda_eus/app.py

@@ -229,6 +229,8 @@ def delete_user() -> Response:
         if len(UserZone.query.filter_by(user_id=user.id).all()) == 0:
             User.query.filter_by(username=content['username']).delete()
 
+        db.session.commit()
+
         # Return result
         response = {"status": "ok", "message": "User {} deleted from zone {}.".format(content["username"],
                                                                                       content["userzone"])}
@@ -342,14 +344,6 @@ def process_forgot_password() -> Response:
             errors = {"errors": ["Please enter your user name (email address)"]}
             return render_template('forgot-password.html', **errors)
 
-        user = User.query.filter_by(username=username).first()
-
-        if user is None:
-            errors = {"errors": ["User name not found. Only external users can reset their password."]}
-            response = make_response(render_template('forgot-password.html', **errors))
-            response.status_code = 404
-            return response
-
         if (not is_email_valid(username) and app.config.get("MAIL_ONLY_TO_VALID_ADDRESS").lower() == "true"):
             errors = {
                 "errors": ["Unable to send password reset email, "
@@ -359,6 +353,11 @@ def process_forgot_password() -> Response:
             response.status_code = 404
             return response
 
+        user = User.query.filter_by(username=username).first()
+        if user is None:
+            # User name not found. Only external users can reset their password.
+            return render_template("forgot-password-successful.html"), 200
+
         # Generate and update user hash
         secret_hash = get_random_hash()
         user.hash = secret_hash

yoda_eus/templates/web/forgot-password-successful.html

@@ -12,7 +12,7 @@
     <div class="offset-md-2 col-md-8">
         <div class="card">
             <div class="card-body">
-            We have sent you an email to reset your password.
+            If an account is associated with this email address, you will soon receive an email with instructions to reset your password.
             </div>
         </div>
     </div>

yoda_eus/tests/test_integration.py

@@ -66,6 +66,9 @@ def test_add_and_remove_user_once(self, test_client):
             assert response1.status_code == 201
             response2 = c.post('/api/user/delete', json=rm_params, headers=auth_headers)
             assert response2.status_code == 204
+            # This delete call is to verify that the user is really gone
+            response3 = c.post('/api/user/delete', json=rm_params, headers=auth_headers)
+            assert response3.status_code == 404
 
     def test_add_and_remove_user_twice(self, test_client):
         auth_headers = {'X-Yoda-External-User-Secret': 'dummy_api_secret'}
@@ -87,6 +90,9 @@ def test_add_and_remove_user_twice(self, test_client):
             assert response3.status_code == 204
             response4 = c.post('/api/user/delete', json=rm2_params, headers=auth_headers)
             assert response4.status_code == 204
+            # This delete call is to verify that the user is really gone
+            response5 = c.post('/api/user/delete', json=rm2_params, headers=auth_headers)
+            assert response5.status_code == 404
 
     def test_forgot_password_show_form(self, test_client):
         with test_client as c:
@@ -96,7 +102,7 @@ def test_forgot_password_show_form(self, test_client):
     def test_forgot_password_nonexistent(self, test_client):
         with test_client as c:
             response = c.post('/user/forgot-password', data={"username": "doesnotexist"})
-            assert response.status_code == 404
+            assert response.status_code == 200
 
     def test_forgot_password_existing(self, test_client):
         auth_headers = {'X-Yoda-External-User-Secret': 'dummy_api_secret'}