From 8eeb832d2e7045a107786fd720a99a78aa5a12d0 Mon Sep 17 00:00:00 2001 From: Matt Wright Date: Thu, 11 Jul 2013 14:50:21 -0400 Subject: [PATCH] Conditionally logout the current user when confirming an email address to prevent unnecessary code/signals to be fired. Fixes #133 --- flask_security/views.py | 7 ++++--- tests/configured_tests.py | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/flask_security/views.py b/flask_security/views.py index 4b18cc7..b1b70df 100644 --- a/flask_security/views.py +++ b/flask_security/views.py @@ -203,8 +203,6 @@ def send_confirmation(): def confirm_email(token): """View function which handles a email confirmation request.""" - logout_user() - expired, invalid, user = confirm_email_token_status(token) if not user or invalid: @@ -218,8 +216,11 @@ def confirm_email(token): return redirect(get_url(_security.confirm_error_view) or url_for('send_confirmation')) + if user != current_user: + logout_user() + login_user(user) + confirm_user(user) - login_user(user) after_this_request(_commit) do_flash(*get_message('EMAIL_CONFIRMED')) diff --git a/tests/configured_tests.py b/tests/configured_tests.py index 0d51fe3..7cef0e4 100644 --- a/tests/configured_tests.py +++ b/tests/configured_tests.py @@ -336,6 +336,24 @@ class LoginWithoutImmediateConfirmTests(SecurityTest): r = self._post('/register', data=data, follow_redirects=True) self.assertIn(e, r.data) + def test_confirm_email_of_user_different_than_current_user(self): + e1 = 'dude@lp.com' + e2 = 'lady@lp.com' + + with capture_registrations() as registrations: + self.register(e1) + self.register(e2) + token1 = registrations[0]['confirm_token'] + token2 = registrations[1]['confirm_token'] + + self.client.get('/confirm/' + token1, follow_redirects=True) + self.client.get('/logout') + self.authenticate(email=e1) + r = self.client.get('/confirm/' + token2, follow_redirects=True) + msg = self.app.config['SECURITY_MSG_EMAIL_CONFIRMED'][0] + self.assertIn(msg, r.data) + self.assertIn('Hello %s' % e2, r.data) + class RecoverableTests(SecurityTest):