fix: treat enabled-but-passwordless portal as inactive (no dead form / self-lockout)

tests/test_portal_gate.py

@@ -45,3 +45,16 @@ def test_lockout_after_five_wrong(client, db_session):
     assert r.status_code == 200
     assert "portal_session=" not in r.headers.get("set-cookie", "")
     assert "too many" in r.text.lower()
+
+
+def test_enabled_without_password_is_not_accessible(client, db_session):
+    # enabled portal but no password set yet (operator enabled before generating one)
+    # must NOT show a usable form — looks like an invalid link, no self-lockout.
+    make_project(db_session, portal_enabled=True, portal_link_token="tok-nopw")
+    r = client.get("/portal/p/tok-nopw")
+    assert r.status_code == 404
+    assert "isn't valid" in r.text.lower()
+    # and a POST can't succeed or set a cookie either
+    r2 = client.post("/portal/p/tok-nopw", data={"password": "anything"}, follow_redirects=False)
+    assert r2.status_code == 404
+    assert "portal_session=" not in r2.headers.get("set-cookie", "")