Uhhh... WHY do we want to re-use the validation record? Don't.
The validation record doesn't have an email address in it. When we change the user's email address we create a validation record. So, with the re-use, the following would work: 1) Set your email address to real.address@site.com, a validation email is sent. 2) Don't click it! Instead, go back and change your email address to fake.address@fakeyfake.com, another validation email is sent (but bounces). 3) Click on the link in the first email. Ta-dah! You've "validated" fake.address@fakeyfake.com!! So: generate a new validation code every time we're asked to create one for the user. Right? Right?
This commit is contained in:
@@ -929,19 +929,15 @@ public class DepotUserRepository extends DepotRepository
|
||||
|
||||
/**
|
||||
* Creates a pending record for an account that has been created but not yet validated (which
|
||||
* involves the user accessing a secret URL we send to them in an email message). If a record
|
||||
* already exists for the supplied user, it will be reused and returned.
|
||||
* involves the user accessing a secret URL we send to them in an email message).
|
||||
*/
|
||||
public ValidateRecord createValidateRecord (int userId, boolean persist)
|
||||
{
|
||||
// reuse an existing record if we have one
|
||||
ValidateRecord rec = getValidateRecord(userId);
|
||||
if (rec != null) {
|
||||
return rec;
|
||||
}
|
||||
// delete any old validate mappings for the user
|
||||
deleteAll(ValidateDepotRecord.class, new Where(ValidateDepotRecord.USER_ID.eq(userId)));
|
||||
|
||||
// otherwise create a new one and insert it into the database
|
||||
rec = new ValidateRecord();
|
||||
// create a new one and insert it into the database
|
||||
ValidateRecord rec = new ValidateRecord();
|
||||
rec.secret = Long.toString(Math.abs((new Random()).nextLong()), 16);
|
||||
rec.userId = userId;
|
||||
rec.persist = persist;
|
||||
|
||||
Reference in New Issue
Block a user