Permalink
Browse files

Improved account primary email address change

When a user changed their primary email address we would simply update the
email address fields. This is problematic because we have no guarantee the new
address is owned by the user.

We now update the fields, set the email as unverified and send a confirmation.
If an exception happens during this process we rollback the changes as if the
email never changed.
  • Loading branch information...
1 parent fd08c67 commit ea2f2eed597f03a3c0edfe77078e484e06d43193 @brosner brosner committed Jul 3, 2012
Showing with 15 additions and 5 deletions.
  1. +14 −1 account/models.py
  2. +1 −4 account/views.py
View
@@ -4,7 +4,7 @@
from django.core.mail import send_mail
from django.core.urlresolvers import reverse
-from django.db import models
+from django.db import models, transaction
from django.db.models import Q
from django.db.models.signals import post_save
from django.dispatch import receiver
@@ -247,6 +247,19 @@ def send_confirmation(self):
confirmation = EmailConfirmation.create(self)
confirmation.send()
return confirmation
+
+ def change(self, new_email, confirm=True):
+ """
+ Given a new email address, change self and re-confirm.
+ """
+ with transaction.commit_on_success():
+ self.user.email = email
+ self.user.save()
+ self.email = email
+ self.verified = False
+ self.save()
+ if confirm:
+ self.send_confirmation()
class EmailConfirmation(models.Model):
View
@@ -585,10 +585,7 @@ def update_email(self, form, confirm=None):
user.save()
else:
if email != self.primary_email_address.email:
- user.email = email
- self.primary_email_address.email = email
- user.save()
- self.primary_email_address.save()
+ self.primary_email_address.change(email)
def update_account(self, form):
fields = {}

0 comments on commit ea2f2ee

Please sign in to comment.