Conditionally logout the current user when confirming an email address to prevent unnecessary code/signals to be fired. Fixes #133

This commit is contained in:
Matt Wright
2013-07-11 14:50:21 -04:00
parent 8f760aadbd
commit 8eeb832d2e
2 changed files with 22 additions and 3 deletions
+4 -3
View File
@@ -203,8 +203,6 @@ def send_confirmation():
def confirm_email(token):
"""View function which handles a email confirmation request."""
logout_user()
expired, invalid, user = confirm_email_token_status(token)
if not user or invalid:
@@ -218,8 +216,11 @@ def confirm_email(token):
return redirect(get_url(_security.confirm_error_view) or
url_for('send_confirmation'))
if user != current_user:
logout_user()
login_user(user)
confirm_user(user)
login_user(user)
after_this_request(_commit)
do_flash(*get_message('EMAIL_CONFIRMED'))
+18
View File
@@ -336,6 +336,24 @@ class LoginWithoutImmediateConfirmTests(SecurityTest):
r = self._post('/register', data=data, follow_redirects=True)
self.assertIn(e, r.data)
def test_confirm_email_of_user_different_than_current_user(self):
e1 = 'dude@lp.com'
e2 = 'lady@lp.com'
with capture_registrations() as registrations:
self.register(e1)
self.register(e2)
token1 = registrations[0]['confirm_token']
token2 = registrations[1]['confirm_token']
self.client.get('/confirm/' + token1, follow_redirects=True)
self.client.get('/logout')
self.authenticate(email=e1)
r = self.client.get('/confirm/' + token2, follow_redirects=True)
msg = self.app.config['SECURITY_MSG_EMAIL_CONFIRMED'][0]
self.assertIn(msg, r.data)
self.assertIn('Hello %s' % e2, r.data)
class RecoverableTests(SecurityTest):