Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Activated event is sent every time an email is confirmed instead of just once #2713

Closed
clarkwinkelmann opened this issue Mar 19, 2021 · 1 comment · Fixed by #3163
Closed

Activated event is sent every time an email is confirmed instead of just once #2713

clarkwinkelmann opened this issue Mar 19, 2021 · 1 comment · Fixed by #3163
Labels
Good first issue type/bug
Milestone
1.2

Comments

@clarkwinkelmann
Copy link
Member

clarkwinkelmann commented Mar 19, 2021
edited

Bug Report

Current Behavior
The Activated event is dispatched every time an email change is confirmed, instead of just on the first email verification.

Steps to Reproduce

  1. Use an extension that reacts to the activation event, for example Audit Log
  2. Create a new account and activate it
  3. Change email and confirm new email
  4. Notice two logs for account activation

Expected Behavior
The Activated event shouldn't be triggered again once the account is already activated.

Environment

  • Flarum version: beta 16, but also affects previous versions

Possible Solution
The problem is here

https://github.com/flarum/core/blob/509adf228a18745b61a62b63cbdce3198ac17ff3/src/User/User.php#L368

We use an explicit check !== true, but the value isn't cast to bool, so we're always comparing 1 !== true and always dispatch the event.

I suggest we add an Eloquent attribute cast to make this value an actual boolean.

Another option could be to just use !$this->is_email_confirmed since the column is non-nullable anyway.

Additional Context
This is not a big issue in itself, but if any extension wanted to use that event to configure something for the user account, it would be nice if the event didn't get triggered again. Since the user can essentially trigger it at will, a malicious example could be the registration event used to reset the user balance or strikes in an external database, which could be abused.
This was referenced Jun 14, 2021
Closed
Closed
@stale
Copy link

stale bot commented Jun 22, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. We do this to keep the amount of open issues to a manageable minimum.
In any case, thanks for taking an interest in this software and contributing by opening the issue in the first place!

@stale stale bot added the stale Issues that have had over 90 days of inactivity label Jun 22, 2021
@SychO9 SychO9 removed the stale Issues that have had over 90 days of inactivity label Jun 22, 2021
@grimmdude grimmdude mentioned this issue Nov 11, 2021
Merged
8 tasks
@SychO9 SychO9 added this to the 1.2 milestone Nov 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Good first issue type/bug
Projects
None yet
Milestone
1.2
2 participants
@clarkwinkelmann @SychO9