SECURITY: Destroy `EmailToken` when `EmailChangeRequest` is destroyed (#13950)

This commit is contained in:
jbrw 2021-08-04 19:14:56 -04:00 committed by GitHub
parent d8a0d2262c
commit fb14e50741
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 2 deletions

View File

@ -1,8 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
class EmailChangeRequest < ActiveRecord::Base class EmailChangeRequest < ActiveRecord::Base
belongs_to :old_email_token, class_name: 'EmailToken' belongs_to :old_email_token, class_name: 'EmailToken', dependent: :destroy
belongs_to :new_email_token, class_name: 'EmailToken' belongs_to :new_email_token, class_name: 'EmailToken', dependent: :destroy
belongs_to :user belongs_to :user
belongs_to :requested_by, class_name: "User", foreign_key: :requested_by_user_id belongs_to :requested_by, class_name: "User", foreign_key: :requested_by_user_id

View File

@ -3050,6 +3050,19 @@ describe UsersController do
expect(user.user_emails.pluck(:email)).to contain_exactly(user_email.email, other_email.email) expect(user.user_emails.pluck(:email)).to contain_exactly(user_email.email, other_email.email)
expect(user.email_change_requests).to contain_exactly(request_1) expect(user.email_change_requests).to contain_exactly(request_1)
end end
it "can destroy associated email tokens" do
new_email = 'new.n.cool@example.com'
updater = EmailUpdater.new(guardian: user.guardian, user: user)
expect { updater.change_to(new_email) }
.to change { user.email_tokens.count }.by(1)
expect { delete "/u/#{user.username}/preferences/email.json", params: { email: new_email } }
.to change { user.email_tokens.count }.by(-1)
expect(user.email_tokens.first.email).to eq(user.email)
end
end end
describe '#is_local_username' do describe '#is_local_username' do