Tell user their account is deactivated in password reset email (#16744)

src/metabase/api/session.clj

@@ -193,11 +193,11 @@
   (let [request-source (request.u/ip-address request)]
     (throttle-check (forgot-password-throttlers :ip-address) request-source))
   (throttle-check (forgot-password-throttlers :email)      email)
-  (when-let [{user-id :id, google-auth? :google_auth} (db/select-one [User :id :google_auth]
-                                                        :%lower.email (u/lower-case-en email), :is_active true)]
+  (when-let [{user-id :id, google-auth? :google_auth, is-active? :is_active}
+             (db/select-one [User :id :google_auth :is_active] :%lower.email (u/lower-case-en email))]
     (let [reset-token        (user/set-password-reset-token! user-id)
           password-reset-url (str (public-settings/site-url) "/auth/reset_password/" reset-token)]
-      (email/send-password-reset-email! email google-auth? server-name password-reset-url)
+      (email/send-password-reset-email! email google-auth? server-name password-reset-url is-active?)
       (log/info password-reset-url)))
   api/generic-204-no-content)
 

src/metabase/email/messages.clj

@@ -52,8 +52,8 @@
           svg    (u/decode-base64 base64)
           themed (str/replace svg #"<svg\b([^>]*)( fill=\"[^\"]*\")([^>]*)>" (str "<svg$1$3 fill=\"" color "\">"))]
       (str "data:image/svg+xml;base64," (u/encode-base64 themed)))
-  (catch Throwable e
-    url)))
+    (catch Throwable e
+      url)))
 
 (defn- logo-url []
   (let [url   (public-settings/application-logo-url)
@@ -166,18 +166,22 @@
 
 (defn send-password-reset-email!
   "Format and send an email informing the user how to reset their password."
-  [email google-auth? hostname password-reset-url]
+  [email google-auth? hostname password-reset-url is-active?]
   {:pre [(m/boolean? google-auth?)
          (u/email? email)
          (string? hostname)
          (string? password-reset-url)]}
-  (let [message-body (stencil/render-file "metabase/email/password_reset"
-                       (merge (common-context)
-                              {:emailType        "password_reset"
-                               :hostname         hostname
-                               :sso              google-auth?
-                               :passwordResetUrl password-reset-url
-                               :logoHeader       true}))]
+  (let [message-body (stencil/render-file
+                      "metabase/email/password_reset"
+                      (merge (common-context)
+                             {:emailType        "password_reset"
+                              :hostname         hostname
+                              :sso              google-auth?
+                              :passwordResetUrl password-reset-url
+                              :logoHeader       true
+                              :isActive         is-active?
+                              :adminEmail       (public-settings/admin-email)
+                              :adminEmailSet    (boolean (public-settings/admin-email))}))]
     (email/send-message!
       :subject      (trs "[{0}] Password Reset Request" (app-name-trs))
       :recipients   [email]

src/metabase/email/password_reset.mustache

@@ -5,11 +5,20 @@
       <a href="{{hostname}}">Go to {{applicationName}}</a>
     {{/sso}}
     {{^sso}}
-    <div style="text-align: center">
-      <p>Click the button below to reset the password for your {{applicationName}} account at {{hostname}}.</p>
-      <a style="display: inline-block; box-sizing: border-box; font-size: 18px; padding: 8px 22px; cursor: pointer; text-decoration: none; border-radius: 4px; background-color: #4990E2; border-color: #4990E2; color: #fff;" href="{{passwordResetUrl}}">Reset password</a>
-      <p style="padding-top: 2em; font-size: small;">Didn't request this password reset? It's safe to ignore it.</p>
-    </div>
+      {{#isActive}}
+        <div style="text-align: center">
+          <p>Click the button below to reset the password for your {{applicationName}} account at {{hostname}}.</p>
+          <a style="display: inline-block; box-sizing: border-box; font-size: 18px; padding: 8px 22px; cursor: pointer; text-decoration: none; border-radius: 4px; background-color: #4990E2; border-color: #4990E2; color: #fff;" href="{{passwordResetUrl}}">Reset password</a>
+          <p style="padding-top: 2em; font-size: small;">Didn't request this password reset? It's safe to ignore it.</p>
+        </div>
+      {{/isActive}}
+      {{^isActive}}
+        <p>Someone requested a password reset for your {{applicationName}} account at {{hostname}}, but your account
+        has been deactivated. Contact an administrator for further assistance.</p>
+        {{#adminEmailSet}}
+          <a href="mailto:{{adminEmail}}">Contact your administrator</a>
+        {{/adminEmailSet}}
+      {{/isActive}}
     {{/sso}}
   </div>
 {{> metabase/email/_footer }}

test/metabase/email/messages_test.clj

 (ns metabase.email.messages-test
-  (:require [clojure.test :refer :all]
+  (:require [clojure.string :as str]
+            [clojure.test :refer :all]
             [metabase.email-test :as email-test]
             [metabase.email.messages :as messages]
             [metabase.test.util :as tu])
   (:import java.io.IOException))
 
-;; new user email
-;; NOTE: we are not validating the content of the email body namely because it's got randomized elements and thus
-;;       it would be extremely hard to have a predictable test that we can rely on
 (deftest new-user-email
   (is (= [{:from    "notifications@metabase.com",
            :to      ["test@test.com"],
@@ -21,16 +19,33 @@
              (-> (@email-test/inbox "test@test.com")
                  (update-in [0 :body 0] dissoc :content)))))))
 
-;; password reset email
 (deftest password-reset-email
-  (is (= [{:from    "notifications@metabase.com",
-           :to      ["test@test.com"],
-           :subject "[Metabase] Password Reset Request",
-           :body    [{:type "text/html; charset=utf-8"}]}]
-         (email-test/with-fake-inbox
-           (messages/send-password-reset-email! "test@test.com" (not :google-auth) "test.domain.com" "http://localhost/some/url")
-           (-> (@email-test/inbox "test@test.com")
-               (update-in [0 :body 0] dissoc :content))))))
+  (testing "password reset email can be sent successfully"
+    (email-test/do-with-fake-inbox
+     (fn []
+       (messages/send-password-reset-email! "test@test.com" false "test.domain.com" "http://localhost/some/url" true)
+       (is (= [{:from    "notifications@metabase.com",
+                :to      ["test@test.com"],
+                :subject "[Metabase] Password Reset Request",
+                :body    [{:type "text/html; charset=utf-8"}]}]
+              (-> (@email-test/inbox "test@test.com")
+                  (update-in [0 :body 0] dissoc :content)))))))
+  ;; Email contents contain randomized elements, so we only check for the inclusion of a single word to verify
+  ;; that the contents changed in the tests below.
+  (testing "password reset email tells user if they should log in with Google Sign-In"
+    (email-test/do-with-fake-inbox
+     (fn []
+       (messages/send-password-reset-email! "test@test.com" true "test.domain.com" "http://localhost/some/url" true)
+       (is (-> (@email-test/inbox "test@test.com")
+               (get-in [0 :body 0 :content])
+               (str/includes? "Google"))))))
+  (testing "password reset email tells user if their account is inactive"
+    (email-test/do-with-fake-inbox
+     (fn []
+       (messages/send-password-reset-email! "test@test.com" false "test.domain.com" "http://localhost/some/url" false)
+       (is (-> (@email-test/inbox "test@test.com")
+               (get-in [0 :body 0 :content])
+               (str/includes? "deactivated")))))))
 
 (defmacro ^:private with-create-temp-failure [& body]
   `(with-redefs [messages/create-temp-file (fn [~'_]