Merge pull request #20801 from jdavcs/25.0_20687

mvdbeek · web-flow · commit 66940cac694b · 2025-08-21T17:02:43.000+02:00
[25.0] Fix password reset functionality for lowercase emails
diff --git a/lib/galaxy/managers/users.py b/lib/galaxy/managers/users.py
@@ -580,7 +580,7 @@ def send_reset_email(self, trans, payload, **kwd):
 
     def get_reset_token(self, trans, email):
         reset_user = get_user_by_email(trans.sa_session, email, self.app.model.User)
-        if not reset_user and email != email.lower():
+        if not reset_user:
             reset_user = self._get_user_by_email_case_insensitive(trans.sa_session, email)
         if reset_user and not reset_user.deleted:
             prt = self.app.model.PasswordResetToken(reset_user)
diff --git a/lib/galaxy/security/validate_user_input.py b/lib/galaxy/security/validate_user_input.py
@@ -85,6 +85,7 @@ def validate_email(trans, email, user=None, check_dup=True, allow_empty=False, v
     Validates the email format.
     Checks whether the domain is blocklisted in the disposable domains configuration.
     Checks whether the email address is banned.
+    Optionally checks if email exists.
     """
     if (user and user.email == email) or (email == "" and allow_empty):
         return ""
diff --git a/test/unit/webapps/test_login.py b/test/unit/webapps/test_login.py
@@ -11,11 +11,11 @@
 from galaxy.util.unittest import TestCase
 from galaxy.webapps.galaxy.controllers.user import User
 
-admin_email = "admin@admin.admin"
+admin_email = "admin@example.org"
 admin_users = admin_email
 default_password = "123456"
 changed_password = "654321"
-user2_data = dict(email="user2@user2.user2", username="user2", password=default_password)
+user2_data = dict(email="User2@example.org", username="user2", password=default_password)
 
 
 class TestLoginController(TestCase):
@@ -84,3 +84,14 @@ def test_login(self):
             controller.login(self.trans, payload={"login": user2.username, "password": default_password})
         )
         assert response["message"] == "Success."
+
+    def test_get_reset_token(self):
+        def _check_reset_token(email):
+            reset_user, prt = self.user_manager.get_reset_token(self.trans, email)
+            assert user2 == reset_user
+            assert prt.user == user2
+
+        user2 = self.user_manager.create(**user2_data)
+        _check_reset_token(user2_data["email"])
+        _check_reset_token(user2_data["email"].lower())
+        _check_reset_token(user2_data["email"].upper())
