Fix double-submit reconfirmation bug

Previously, if a user submitted their new email twice, they would bypass the reconfirmation requirement and wind up auto-confirmed.
2011-08-12 14:51:04 -06:00 · 2011-08-12 14:51:04 -06:00 · 5a820262f9
parent 3906456993
commit 5a820262f9
2 changed files with 13 additions and 1 deletions
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@ -66,6 +66,7 @@ module Devise
          self.confirmed_at = Time.now

          if self.class.reconfirmable
+            @bypass_postpone = true
            self.email = unconfirmed_email if unconfirmed_email.present?
            self.unconfirmed_email = nil
            save
@ -183,7 +184,9 @@ module Devise
        end

        def postpone_email_change?
-          self.class.reconfirmable && email_changed? && email != unconfirmed_email_was
+          postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone
+          @bypass_postpone = nil
+          postpone
        end

        def email_change_confirmation_required?
--- a/test/models/confirmable_test.rb
+++ b/test/models/confirmable_test.rb
@ -296,6 +296,15 @@ class ReconfirmableTest < ConfirmableTest
    assert_equal 'new_test@example.com', user.email
  end

+  test 'should not allow user to get past confirmation email by resubmitting their new address' do
+    user = create_user
+    assert user.confirm!
+    assert user.update_attributes(:email => 'new_test@example.com')
+    assert_not_equal 'new_test@example.com', user.email
+    assert user.update_attributes(:email => 'new_test@example.com')
+    assert_not_equal 'new_test@example.com', user.email
+  end
+
  test 'should find a user by send confirmation instructions with unconfirmed_email' do
    user = create_user
    assert user.confirm!