Allowed to log in even before confirming email

[sandlerben]

Steps to reproduce:

1. Make an account
2. Don't confirm email
3. Log in with account

Expected
4. See message that asks to reconfirm email and you are blocked from doing other user things

Actual
4. See message that asks to reconfirm email and you can do other user things

[aharelick]

@sandlerben, @jondubin: How do people feel about having another decorator like @confirmed to put on top of routes that require it. Understandably, this may be a little excessive. I think the overlap between @login_required and something like @confirmed would be pretty large, but just wanted to gauge opinions.

[sandlerben]

Could we create a better version of login_required and put it in decorators.py?

[jondubin]

How about we pass an argument into the decorator to indicate whether the acct needs to be confirmed or not?

[sandlerben]

That's a good idea. Every endpoint that is login protected should also require confirmation except the confirm account endpoint.

[abhisuri97]

Is this still an error? I just tried this in my app and the expected behavior is what is happening currently. I think that the following found in app/account/views.py takes care of the issue (or at least it should):

@account.before_app_request
def before_request():
    """Force user to confirm email before accessing login-required routes."""
    if current_user.is_authenticated() \
            and not current_user.confirmed \
            and request.endpoint[:8] != 'account.' \
            and request.endpoint != 'static':
        return redirect(url_for('account.unconfirmed'))


@account.route('/unconfirmed')
def unconfirmed():
    """Catch users with unconfirmed emails."""
    if current_user.is_anonymous() or current_user.confirmed:
        return redirect(url_for('main.index'))
    return render_template('account/unconfirmed.html')

[sandlerben]

It's possible I fixed it without closing the issue. I'll check and update
this issue.

On Sun, Mar 20, 2016, 2:58 AM Abhinav Suri notifications@github.com wrote:

Is this still an error? I just tried this in my app and the expected
behavior is what is happening currently. I think that the following found
in app/account/views.py takes care of the issue (or at least it should):

@account.before_app_request
def before_request():
"""Force user to confirm email before accessing login-required routes."""
if current_user.is_authenticated()
and not current_user.confirmed
and request.endpoint[:8] != 'account.'
and request.endpoint != 'static':
return redirect(url_for('account.unconfirmed'))

@account.route('/unconfirmed')
def unconfirmed():
"""Catch users with unconfirmed emails."""
if current_user.is_anonymous() or current_user.confirmed:
return redirect(url_for('main.index'))
return render_template('account/unconfirmed.html')

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#17 (comment)

[abhisuri97]

permission to close the issue? tested and it seems to be fixed.

[sandlerben]

yes this looks fixed! sorry for the delayed response