Prevent deleted users from logging in

h/services/user.py

@@ -155,7 +155,7 @@ def fetch_for_login(self, username_or_email):
 
         user = self.session.query(User).filter(*filters).one_or_none()
 
-        if user is None:
+        if user is None or user.deleted:
             return None
 
         if not user.is_activated:

tests/unit/h/services/user_test.py

@@ -77,6 +77,16 @@ def test_fetch_for_login_by_email_not_activated(self, svc):
         with pytest.raises(UserNotActivated):
             svc.fetch_for_login("mirthe@deboer.com")
 
+    def test_fetch_for_login_by_username_deleted(self, svc, factories):
+        user = factories.User(deleted=True)
+
+        assert svc.fetch_for_login(user.username) is None
+
+    def test_fetch_for_login_by_email_deleted(self, svc, factories):
+        user = factories.User(deleted=True)
+
+        assert svc.fetch_for_login(user.email) is None
+
     def test_update_preferences_tutorial_enable(self, svc, factories):
         user = factories.User.build(sidebar_tutorial_dismissed=True)