Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Improved account primary email address change

When a user changed their primary email address we would simply update the
email address fields. This is problematic because we have no guarantee the new
address is owned by the user.

We now update the fields, set the email as unverified and send a confirmation.
If an exception happens during this process we rollback the changes as if the
email never changed.
  • Loading branch information...
commit ea2f2eed597f03a3c0edfe77078e484e06d43193 1 parent fd08c67
@brosner brosner authored
Showing with 15 additions and 5 deletions.
  1. +14 −1 account/models.py
  2. +1 −4 account/views.py
View
15 account/models.py
@@ -4,7 +4,7 @@
from django.core.mail import send_mail
from django.core.urlresolvers import reverse
-from django.db import models
+from django.db import models, transaction
from django.db.models import Q
from django.db.models.signals import post_save
from django.dispatch import receiver
@@ -247,6 +247,19 @@ def send_confirmation(self):
confirmation = EmailConfirmation.create(self)
confirmation.send()
return confirmation
+
+ def change(self, new_email, confirm=True):
+ """
+ Given a new email address, change self and re-confirm.
+ """
+ with transaction.commit_on_success():
+ self.user.email = email
+ self.user.save()
+ self.email = email
+ self.verified = False
+ self.save()
+ if confirm:
+ self.send_confirmation()
class EmailConfirmation(models.Model):
View
5 account/views.py
@@ -585,10 +585,7 @@ def update_email(self, form, confirm=None):
user.save()
else:
if email != self.primary_email_address.email:
- user.email = email
- self.primary_email_address.email = email
- user.save()
- self.primary_email_address.save()
+ self.primary_email_address.change(email)
def update_account(self, form):
fields = {}
Please sign in to comment.
Something went wrong with that request. Please try again.