Don't allow password resets for holding accounts

services/web/app/coffee/Features/PasswordReset/PasswordResetHandler.coffee

@@ -11,7 +11,7 @@ module.exports =
 	generateAndEmailResetToken:(email, callback = (error, exists) ->)->
 		UserGetter.getUser email:email, (err, user)->
 			if err then return callback(err)
-			if !user?
+			if !user? or user.holdingAccount
 				logger.err email:email, "user could not be found for password reset"
 				return callback(null, false)
 			PasswordResetTokenHandler.getNewToken user._id, (err, token)->

services/web/test/UnitTests/coffee/PasswordReset/PasswordResetHandlerTests.coffee

@@ -60,6 +60,13 @@ describe "PasswordResetHandler", ->
 				args[1].setNewPasswordUrl.should.equal "#{@settings.siteUrl}/user/password/set?passwordResetToken=#{@token}"
 				done()
 
+		it "should return exists = false for a holdingAccount", (done) ->
+			@user.holdingAccount = true
+			@UserGetter.getUser.callsArgWith(1, null, @user)
+			@PasswordResetTokenHandler.getNewToken.callsArgWith(1)
+			@PasswordResetHandler.generateAndEmailResetToken @user.email, (err, exists)=>
+				exists.should.equal false
+				done()
 
 	describe "setNewUserPassword", ->