mirror of
https://github.com/wassname/flask-security.git
synced 2026-07-07 00:06:15 +08:00
Conditionally logout the current user when confirming an email address to prevent unnecessary code/signals to be fired. Fixes #133
This commit is contained in:
@@ -203,8 +203,6 @@ def send_confirmation():
|
||||
def confirm_email(token):
|
||||
"""View function which handles a email confirmation request."""
|
||||
|
||||
logout_user()
|
||||
|
||||
expired, invalid, user = confirm_email_token_status(token)
|
||||
|
||||
if not user or invalid:
|
||||
@@ -218,8 +216,11 @@ def confirm_email(token):
|
||||
return redirect(get_url(_security.confirm_error_view) or
|
||||
url_for('send_confirmation'))
|
||||
|
||||
if user != current_user:
|
||||
logout_user()
|
||||
login_user(user)
|
||||
|
||||
confirm_user(user)
|
||||
login_user(user)
|
||||
after_this_request(_commit)
|
||||
do_flash(*get_message('EMAIL_CONFIRMED'))
|
||||
|
||||
|
||||
@@ -336,6 +336,24 @@ class LoginWithoutImmediateConfirmTests(SecurityTest):
|
||||
r = self._post('/register', data=data, follow_redirects=True)
|
||||
self.assertIn(e, r.data)
|
||||
|
||||
def test_confirm_email_of_user_different_than_current_user(self):
|
||||
e1 = 'dude@lp.com'
|
||||
e2 = 'lady@lp.com'
|
||||
|
||||
with capture_registrations() as registrations:
|
||||
self.register(e1)
|
||||
self.register(e2)
|
||||
token1 = registrations[0]['confirm_token']
|
||||
token2 = registrations[1]['confirm_token']
|
||||
|
||||
self.client.get('/confirm/' + token1, follow_redirects=True)
|
||||
self.client.get('/logout')
|
||||
self.authenticate(email=e1)
|
||||
r = self.client.get('/confirm/' + token2, follow_redirects=True)
|
||||
msg = self.app.config['SECURITY_MSG_EMAIL_CONFIRMED'][0]
|
||||
self.assertIn(msg, r.data)
|
||||
self.assertIn('Hello %s' % e2, r.data)
|
||||
|
||||
|
||||
class RecoverableTests(SecurityTest):
|
||||
|
||||
|
||||
Reference in New Issue
Block a user