diff --git a/flask_security/views.py b/flask_security/views.py index 4b18cc7..b1b70df 100644 --- a/flask_security/views.py +++ b/flask_security/views.py @@ -203,8 +203,6 @@ def send_confirmation(): def confirm_email(token): """View function which handles a email confirmation request.""" - logout_user() - expired, invalid, user = confirm_email_token_status(token) if not user or invalid: @@ -218,8 +216,11 @@ def confirm_email(token): return redirect(get_url(_security.confirm_error_view) or url_for('send_confirmation')) + if user != current_user: + logout_user() + login_user(user) + confirm_user(user) - login_user(user) after_this_request(_commit) do_flash(*get_message('EMAIL_CONFIRMED')) diff --git a/tests/configured_tests.py b/tests/configured_tests.py index 0d51fe3..7cef0e4 100644 --- a/tests/configured_tests.py +++ b/tests/configured_tests.py @@ -336,6 +336,24 @@ class LoginWithoutImmediateConfirmTests(SecurityTest): r = self._post('/register', data=data, follow_redirects=True) self.assertIn(e, r.data) + def test_confirm_email_of_user_different_than_current_user(self): + e1 = 'dude@lp.com' + e2 = 'lady@lp.com' + + with capture_registrations() as registrations: + self.register(e1) + self.register(e2) + token1 = registrations[0]['confirm_token'] + token2 = registrations[1]['confirm_token'] + + self.client.get('/confirm/' + token1, follow_redirects=True) + self.client.get('/logout') + self.authenticate(email=e1) + r = self.client.get('/confirm/' + token2, follow_redirects=True) + msg = self.app.config['SECURITY_MSG_EMAIL_CONFIRMED'][0] + self.assertIn(msg, r.data) + self.assertIn('Hello %s' % e2, r.data) + class RecoverableTests(SecurityTest):