Fix double-submit reconfirmation bug
Previously, if a user submitted their new email twice, they would bypass the reconfirmation requirement and wind up auto-confirmed.
This commit is contained in:
parent
3906456993
commit
5a820262f9
|
@ -66,6 +66,7 @@ module Devise
|
||||||
self.confirmed_at = Time.now
|
self.confirmed_at = Time.now
|
||||||
|
|
||||||
if self.class.reconfirmable
|
if self.class.reconfirmable
|
||||||
|
@bypass_postpone = true
|
||||||
self.email = unconfirmed_email if unconfirmed_email.present?
|
self.email = unconfirmed_email if unconfirmed_email.present?
|
||||||
self.unconfirmed_email = nil
|
self.unconfirmed_email = nil
|
||||||
save
|
save
|
||||||
|
@ -183,7 +184,9 @@ module Devise
|
||||||
end
|
end
|
||||||
|
|
||||||
def postpone_email_change?
|
def postpone_email_change?
|
||||||
self.class.reconfirmable && email_changed? && email != unconfirmed_email_was
|
postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone
|
||||||
|
@bypass_postpone = nil
|
||||||
|
postpone
|
||||||
end
|
end
|
||||||
|
|
||||||
def email_change_confirmation_required?
|
def email_change_confirmation_required?
|
||||||
|
|
|
@ -296,6 +296,15 @@ class ReconfirmableTest < ConfirmableTest
|
||||||
assert_equal 'new_test@example.com', user.email
|
assert_equal 'new_test@example.com', user.email
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test 'should not allow user to get past confirmation email by resubmitting their new address' do
|
||||||
|
user = create_user
|
||||||
|
assert user.confirm!
|
||||||
|
assert user.update_attributes(:email => 'new_test@example.com')
|
||||||
|
assert_not_equal 'new_test@example.com', user.email
|
||||||
|
assert user.update_attributes(:email => 'new_test@example.com')
|
||||||
|
assert_not_equal 'new_test@example.com', user.email
|
||||||
|
end
|
||||||
|
|
||||||
test 'should find a user by send confirmation instructions with unconfirmed_email' do
|
test 'should find a user by send confirmation instructions with unconfirmed_email' do
|
||||||
user = create_user
|
user = create_user
|
||||||
assert user.confirm!
|
assert user.confirm!
|
||||||
|
|
Loading…
Reference in New Issue