Skip to content
Browse files

Fixed user state bug during sign up when sign up code is used

When a user signs up with a sign up code we check if the given email matches the
sign up code email. If they match we confirm the email, but we don't reactivate
the user account when ACCOUNT_EMAIL_CONFIRMATION_REQUIRED is True.

This commit fixes this ensuring users are activated correctly when they never
receive the email confirmation by design.
  • Loading branch information...
1 parent a1c71ec commit 36c61a436002a7a0d5427077b1f72941f55b4460 @brosner brosner committed Jan 30, 2013
Showing with 3 additions and 0 deletions.
  1. +3 −0 account/views.py
View
3 account/views.py
@@ -104,6 +104,9 @@ def form_valid(self, form):
self.signup_code.use(self.created_user)
if self.signup_code.email and self.created_user.email == self.signup_code.email:
email_kwargs["verified"] = True
+ if settings.ACCOUNT_EMAIL_CONFIRMATION_REQUIRED:
+ self.created_user.is_active = True
+ self.created_user.save()
email_address = EmailAddress.objects.add_email(self.created_user, self.created_user.email, **email_kwargs)
self.after_signup(form)
if settings.ACCOUNT_EMAIL_CONFIRMATION_EMAIL and not email_kwargs["verified"]:

3 comments on commit 36c61a4

@paltman
Pinax Project member

I don't think this handles the case where sign up codes are not required. Could there be the case where you would still want to send invites to users with open signup and a user sees the email but doesn't use the signup code, but instead goes to the site and registers with the same email address. kaleo currently links up these based on email confirmation and user signed up signals, but that got me thinking that in the case of open signup, this setting of user to active won't happen.

@brosner
Pinax Project member

Let me explain why the code behaves the way it does. When a signup code has an email attached to it we assume the code was given to the user via email. Meaning that to get to the sign up page they clicked a link from their email. This will pre-populate the email field and after the user signs up automatically verify their email address because the code assumes they came from email (the codes given via email are not human readable so it is doubtful anyone would have just typed it.) Those that came from email shouldn't need to go through the email confirmation step because we know the established email address is confirmed because they came to the site from it!

The case you describe doesn't fit in the behavior above. If a user doesn't use the signup code from their email we have no way to know that the user owns the email address they give us (even if it does happen to match a signup code email address.) This should require them to go through email confirmation process which will result in their user account being marked active.

@paltman
Pinax Project member

Good point. I completely understood how in works in how you describe it, but I had not thought about them needing to prove they own if it they happen to come to the site without clicking on the link, thus not proving that they own the email address. Thanks.

Please sign in to comment.
Something went wrong with that request. Please try again.