#169: Implemented email verification #222
Conversation
| @@ -32,17 +32,29 @@ public function behaviors() | |||
| 'class' => AccessControl::class, | |||
| 'rules' => [ | |||
| [ | |||
| 'actions' => ['signup', 'login', 'request-password-reset', 'reset-password', 'auth'], | |||
| 'actions' => [ | |||
| 'request-password-reset', | |||
There was a problem hiding this comment.
why allow password reset if already logged in?
There was a problem hiding this comment.
Yes. Same as it was before the change. That's fine because you may want to change your password even if you're currently logged in.
controllers/AuthController.php
Outdated
| if ($user) { | ||
| $user->email_verified = true; | ||
| $user->removeEmailVerificationToken(); | ||
| if ($user->save()) { |
There was a problem hiding this comment.
how about making this a method in User which can not fail on validation of unrelated fields?
$user->verifyEmail(); will set email_verified, remove the token and save(false);
controllers/UserController.php
Outdated
| { | ||
| if ($user) { | ||
| if (!User::isEmailVerificationTokenValid($user->email_verification_token)) { | ||
| $user->generateEmailVerificationToken(); |
There was a problem hiding this comment.
this method should do save() internally, makes code below easier for not checking return value of save().
models/SignupForm.php
Outdated
| return $user; | ||
| } | ||
|
|
||
| return null; | ||
| } | ||
|
|
||
| private function sendEmailVerificationEmail(User $user) |
There was a problem hiding this comment.
this is duplicated with the code from UserController, should be a single method.
| $expire = Yii::$app->params['user.emailVerificationTokenExpire']; | ||
| $parts = explode('_', $token); | ||
| $timestamp = (int) end($parts); | ||
| return $timestamp + $expire >= time(); |
There was a problem hiding this comment.
does that mean you can make a token valid again by manipulating the time?
| It is not verified yet. <?= Html::a('Verify', ['user/request-email-verification']) ?>. | ||
| <?php endif ?> | ||
| </li> | ||
| <?php endif ?> |
There was a problem hiding this comment.
if someone has logged in via oauth there is no need to verify email. This case should be covered.
|
Done adjustments. |
Needed for #169