Uhhh... WHY do we want to re-use the validation record? Don't.
The validation record doesn't have an email address in it. When we change the user's email address we create a validation record. So, with the re-use, the following would work: 1) Set your email address to real.address@site.com, a validation email is sent. 2) Don't click it! Instead, go back and change your email address to fake.address@fakeyfake.com, another validation email is sent (but bounces). 3) Click on the link in the first email. Ta-dah! You've "validated" fake.address@fakeyfake.com!! So: generate a new validation code every time we're asked to create one for the user. Right? Right?
This commit is contained in:
@@ -929,19 +929,15 @@ public class DepotUserRepository extends DepotRepository
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates a pending record for an account that has been created but not yet validated (which
|
* Creates a pending record for an account that has been created but not yet validated (which
|
||||||
* involves the user accessing a secret URL we send to them in an email message). If a record
|
* involves the user accessing a secret URL we send to them in an email message).
|
||||||
* already exists for the supplied user, it will be reused and returned.
|
|
||||||
*/
|
*/
|
||||||
public ValidateRecord createValidateRecord (int userId, boolean persist)
|
public ValidateRecord createValidateRecord (int userId, boolean persist)
|
||||||
{
|
{
|
||||||
// reuse an existing record if we have one
|
// delete any old validate mappings for the user
|
||||||
ValidateRecord rec = getValidateRecord(userId);
|
deleteAll(ValidateDepotRecord.class, new Where(ValidateDepotRecord.USER_ID.eq(userId)));
|
||||||
if (rec != null) {
|
|
||||||
return rec;
|
|
||||||
}
|
|
||||||
|
|
||||||
// otherwise create a new one and insert it into the database
|
// create a new one and insert it into the database
|
||||||
rec = new ValidateRecord();
|
ValidateRecord rec = new ValidateRecord();
|
||||||
rec.secret = Long.toString(Math.abs((new Random()).nextLong()), 16);
|
rec.secret = Long.toString(Math.abs((new Random()).nextLong()), 16);
|
||||||
rec.userId = userId;
|
rec.userId = userId;
|
||||||
rec.persist = persist;
|
rec.persist = persist;
|
||||||
|
|||||||
Reference in New Issue
Block a user