Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Destroy EmailToken when EmailChangeRequest is destroyed (
  • Loading branch information
jbrw committed Aug 4, 2021
1 parent d8a0d22 commit fb14e50
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
4 changes: 2 additions & 2 deletions app/models/email_change_request.rb
@@ -1,8 +1,8 @@
# frozen_string_literal: true

class EmailChangeRequest < ActiveRecord::Base
belongs_to :old_email_token, class_name: 'EmailToken'
belongs_to :new_email_token, class_name: 'EmailToken'
belongs_to :old_email_token, class_name: 'EmailToken', dependent: :destroy
belongs_to :new_email_token, class_name: 'EmailToken', dependent: :destroy
belongs_to :user
belongs_to :requested_by, class_name: "User", foreign_key: :requested_by_user_id

Expand Down
13 changes: 13 additions & 0 deletions spec/requests/users_controller_spec.rb
Expand Up @@ -3050,6 +3050,19 @@ def post_user(extra_params = {})
expect(user.user_emails.pluck(:email)).to contain_exactly(user_email.email, other_email.email)
expect(user.email_change_requests).to contain_exactly(request_1)
end

it "can destroy associated email tokens" do
new_email = 'new.n.cool@example.com'
updater = EmailUpdater.new(guardian: user.guardian, user: user)

expect { updater.change_to(new_email) }
.to change { user.email_tokens.count }.by(1)

expect { delete "/u/#{user.username}/preferences/email.json", params: { email: new_email } }
.to change { user.email_tokens.count }.by(-1)

expect(user.email_tokens.first.email).to eq(user.email)
end
end

describe '#is_local_username' do
Expand Down

0 comments on commit fb14e50

Please sign in to comment.