From 11f1a4662e5727faf89115fc2be8cf30c575dc8a Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Wed, 21 Jun 2023 15:46:50 -0700
Subject: [PATCH 1/3] Don't allow invalid account reactivation

---
 bookwyrm/models/user.py            | 2 ++
 bookwyrm/views/landing/register.py | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/bookwyrm/models/user.py b/bookwyrm/models/user.py
index f39468246..bf4f9401b 100644
--- a/bookwyrm/models/user.py
+++ b/bookwyrm/models/user.py
@@ -394,6 +394,8 @@ class User(OrderedCollectionPageMixin, AbstractUser):
     def reactivate(self):
         """Now you want to come back, huh?"""
         # pylint: disable=attribute-defined-outside-init
+        if not user.allow_reactivation:
+            return
         self.is_active = True
         self.deactivation_reason = None
         self.allow_reactivation = False
diff --git a/bookwyrm/views/landing/register.py b/bookwyrm/views/landing/register.py
index 2e1a1d321..e5a76a0d6 100644
--- a/bookwyrm/views/landing/register.py
+++ b/bookwyrm/views/landing/register.py
@@ -105,7 +105,9 @@ class ConfirmEmailCode(View):
 
         # look up the user associated with this code
         try:
-            user = models.User.objects.get(confirmation_code=code)
+            user = models.User.objects.get(
+                confirmation_code=code, deactivation_reason="pending"
+            )
         except models.User.DoesNotExist:
             return TemplateResponse(
                 request, "confirm_email/confirm_email.html", {"valid": False}

From 6a949c24e2cfc82917f168c06a460c152b42d081 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Wed, 21 Jun 2023 15:52:32 -0700
Subject: [PATCH 2/3] Typo fix

---
 bookwyrm/models/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bookwyrm/models/user.py b/bookwyrm/models/user.py
index bf4f9401b..268a6c2a3 100644
--- a/bookwyrm/models/user.py
+++ b/bookwyrm/models/user.py
@@ -394,7 +394,7 @@ class User(OrderedCollectionPageMixin, AbstractUser):
     def reactivate(self):
         """Now you want to come back, huh?"""
         # pylint: disable=attribute-defined-outside-init
-        if not user.allow_reactivation:
+        if not self.allow_reactivation:
             return
         self.is_active = True
         self.deactivation_reason = None

From a7e6919b9690e7030a3cc8d437576b060bbe65c9 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Sun, 16 Jul 2023 05:53:46 -0700
Subject: [PATCH 3/3] Fixes confirm email slow and adds test

---
 bookwyrm/tests/views/landing/test_register.py |  8 ++++++-
 .../views/preferences/test_delete_user.py     | 21 +++++++++++++++++++
 bookwyrm/views/landing/register.py            |  1 +
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/bookwyrm/tests/views/landing/test_register.py b/bookwyrm/tests/views/landing/test_register.py
index b08b28a61..04f3a25ec 100644
--- a/bookwyrm/tests/views/landing/test_register.py
+++ b/bookwyrm/tests/views/landing/test_register.py
@@ -347,11 +347,17 @@ class RegisterViews(TestCase):
         self.settings.save()
 
         self.local_user.is_active = False
+        self.local_user.allow_reactivation = True
         self.local_user.deactivation_reason = "pending"
         self.local_user.confirmation_code = "12345"
         self.local_user.save(
             broadcast=False,
-            update_fields=["is_active", "deactivation_reason", "confirmation_code"],
+            update_fields=[
+                "is_active",
+                "allow_reactivation",
+                "deactivation_reason",
+                "confirmation_code",
+            ],
         )
         view = views.ConfirmEmailCode.as_view()
         request = self.factory.get("")
diff --git a/bookwyrm/tests/views/preferences/test_delete_user.py b/bookwyrm/tests/views/preferences/test_delete_user.py
index 151b9ab2e..1994a5a4d 100644
--- a/bookwyrm/tests/views/preferences/test_delete_user.py
+++ b/bookwyrm/tests/views/preferences/test_delete_user.py
@@ -141,3 +141,24 @@ class DeleteUserViews(TestCase):
         self.local_user.refresh_from_db()
         self.assertTrue(self.local_user.is_active)
         self.assertIsNone(self.local_user.deactivation_reason)
+
+    def test_reactivate_user_post_disallowed(self, _):
+        """Reactivate action under the wrong circumstances"""
+        self.local_user.is_active = False
+        self.local_user.save(broadcast=False)
+
+        view = views.ReactivateUser.as_view()
+        form = forms.LoginForm()
+        form.data["localname"] = "mouse"
+        form.data["password"] = "password"
+        request = self.factory.post("", form.data)
+        request.user = self.local_user
+        middleware = SessionMiddleware()
+        middleware.process_request(request)
+        request.session.save()
+
+        with patch("bookwyrm.views.preferences.delete_user.login"):
+            view(request)
+
+        self.local_user.refresh_from_db()
+        self.assertFalse(self.local_user.is_active)
diff --git a/bookwyrm/views/landing/register.py b/bookwyrm/views/landing/register.py
index e5a76a0d6..26d8e1813 100644
--- a/bookwyrm/views/landing/register.py
+++ b/bookwyrm/views/landing/register.py
@@ -74,6 +74,7 @@ class Register(View):
             password,
             localname=localname,
             local=True,
+            allow_reactivation=settings.require_confirm_email,
             deactivation_reason="pending" if settings.require_confirm_email else None,
             is_active=not settings.require_confirm_email,
             preferred_timezone=preferred_timezone,