Uhhh... WHY do we want to re-use the validation record? Don't.

The validation record doesn't have an email address in it.
When we change the user's email address we create a validation record.

So, with the re-use, the following would work:
1) Set your email address to real.address@site.com, a validation email
   is sent.
2) Don't click it! Instead, go back and change your email address to
   fake.address@fakeyfake.com, another validation email is sent (but
   bounces).
3) Click on the link in the first email. Ta-dah! You've "validated"
   fake.address@fakeyfake.com!!

So: generate a new validation code every time we're asked to create
one for the user.

Right? Right?
This commit is contained in:
Ray J. Greenwell
2011-11-03 18:45:53 -07:00
parent 94b6d1d9f2
commit 4e5882cb4b
@@ -929,19 +929,15 @@ public class DepotUserRepository extends DepotRepository
/**
* Creates a pending record for an account that has been created but not yet validated (which
* involves the user accessing a secret URL we send to them in an email message). If a record
* already exists for the supplied user, it will be reused and returned.
* involves the user accessing a secret URL we send to them in an email message).
*/
public ValidateRecord createValidateRecord (int userId, boolean persist)
{
// reuse an existing record if we have one
ValidateRecord rec = getValidateRecord(userId);
if (rec != null) {
return rec;
}
// delete any old validate mappings for the user
deleteAll(ValidateDepotRecord.class, new Where(ValidateDepotRecord.USER_ID.eq(userId)));
// otherwise create a new one and insert it into the database
rec = new ValidateRecord();
// create a new one and insert it into the database
ValidateRecord rec = new ValidateRecord();
rec.secret = Long.toString(Math.abs((new Random()).nextLong()), 16);
rec.userId = userId;
rec.persist = persist;