From 4e5882cb4b89bb084ba3a63d6060323a2b371f98 Mon Sep 17 00:00:00 2001 From: "Ray J. Greenwell" Date: Thu, 3 Nov 2011 18:45:53 -0700 Subject: [PATCH] Uhhh... WHY do we want to re-use the validation record? Don't. The validation record doesn't have an email address in it. When we change the user's email address we create a validation record. So, with the re-use, the following would work: 1) Set your email address to real.address@site.com, a validation email is sent. 2) Don't click it! Instead, go back and change your email address to fake.address@fakeyfake.com, another validation email is sent (but bounces). 3) Click on the link in the first email. Ta-dah! You've "validated" fake.address@fakeyfake.com!! So: generate a new validation code every time we're asked to create one for the user. Right? Right? --- .../threerings/user/depot/DepotUserRepository.java | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/main/java/com/threerings/user/depot/DepotUserRepository.java b/src/main/java/com/threerings/user/depot/DepotUserRepository.java index 59039e2..0a121d7 100644 --- a/src/main/java/com/threerings/user/depot/DepotUserRepository.java +++ b/src/main/java/com/threerings/user/depot/DepotUserRepository.java @@ -929,19 +929,15 @@ public class DepotUserRepository extends DepotRepository /** * Creates a pending record for an account that has been created but not yet validated (which - * involves the user accessing a secret URL we send to them in an email message). If a record - * already exists for the supplied user, it will be reused and returned. + * involves the user accessing a secret URL we send to them in an email message). */ public ValidateRecord createValidateRecord (int userId, boolean persist) { - // reuse an existing record if we have one - ValidateRecord rec = getValidateRecord(userId); - if (rec != null) { - return rec; - } + // delete any old validate mappings for the user + deleteAll(ValidateDepotRecord.class, new Where(ValidateDepotRecord.USER_ID.eq(userId))); - // otherwise create a new one and insert it into the database - rec = new ValidateRecord(); + // create a new one and insert it into the database + ValidateRecord rec = new ValidateRecord(); rec.secret = Long.toString(Math.abs((new Random()).nextLong()), 16); rec.userId = userId; rec.persist = persist;