hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#114] Added :user_id component to email confirmation path to improve the security.

Browse source 
Added tests for `confirm_email` action.
This commit is contained in:
Ivan Tashkinov 2018-12-20 13:41:30 +03:00
commit f69cbf4755
5 changed files with 26 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/pleroma/web/twitter_api/twitter_api_controller.ex
View file

@ -382,9 +382,11 @@ defmodule Pleroma.Web.TwitterAPI.Controller do
end
end
def confirm_email(conn, %{"token" => token}) do
with %User{} = user <- User.get_by_confirmation_token(token),
def confirm_email(conn, %{"user_id" => uid, "token" => token}) do
with %User{} = user <- Repo.get(User, uid),
true <- user.local,
true <- user.info.confirmation_pending,
true <- user.info.confirmation_token == token,
info_change <- User.Info.confirmation_changeset(user.info, :confirmed),
changeset <- Changeset.change(user) |> Changeset.put_embed(:info, info_change),
{:ok, _} <- User.update_and_set_cache(changeset) do