Fix double-submit reconfirmation bug
Previously, if a user submitted their new email twice, they would bypass the reconfirmation requirement and wind up auto-confirmed.
This commit is contained in:
parent
3906456993
commit
5a820262f9
|
@ -66,6 +66,7 @@ module Devise
|
|||
self.confirmed_at = Time.now
|
||||
|
||||
if self.class.reconfirmable
|
||||
@bypass_postpone = true
|
||||
self.email = unconfirmed_email if unconfirmed_email.present?
|
||||
self.unconfirmed_email = nil
|
||||
save
|
||||
|
@ -183,7 +184,9 @@ module Devise
|
|||
end
|
||||
|
||||
def postpone_email_change?
|
||||
self.class.reconfirmable && email_changed? && email != unconfirmed_email_was
|
||||
postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone
|
||||
@bypass_postpone = nil
|
||||
postpone
|
||||
end
|
||||
|
||||
def email_change_confirmation_required?
|
||||
|
|
|
@ -296,6 +296,15 @@ class ReconfirmableTest < ConfirmableTest
|
|||
assert_equal 'new_test@example.com', user.email
|
||||
end
|
||||
|
||||
test 'should not allow user to get past confirmation email by resubmitting their new address' do
|
||||
user = create_user
|
||||
assert user.confirm!
|
||||
assert user.update_attributes(:email => 'new_test@example.com')
|
||||
assert_not_equal 'new_test@example.com', user.email
|
||||
assert user.update_attributes(:email => 'new_test@example.com')
|
||||
assert_not_equal 'new_test@example.com', user.email
|
||||
end
|
||||
|
||||
test 'should find a user by send confirmation instructions with unconfirmed_email' do
|
||||
user = create_user
|
||||
assert user.confirm!
|
||||
|
|
Loading…
Reference in New Issue