Delete any outstanding tokens when a user changes their email

This ensures that any tokens previously sent to the old email address can no longer be used if somebody were able to access that address.
2020-09-29 13:47:40 +01:00 · 2020-09-29 13:47:40 +01:00 · c694c78c9a
commit c694c78c9a
parent f0bf85d4a1
2 changed files with 2 additions and 2 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -366,7 +366,7 @@ class UsersController < ApplicationController
        else
          flash[:errors] = current_user.errors
        end
-        token.destroy
+        current_user.tokens.delete_all
        session[:user] = current_user.id
        redirect_to :action => "account", :display_name => current_user.display_name
      elsif token
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -56,7 +56,7 @@ class User < ApplicationRecord
  has_many :sent_messages, -> { where(:from_user_visible => true).order(:sent_on => :desc).preload(:sender, :recipient) }, :class_name => "Message", :foreign_key => :from_user_id
  has_many :friendships, -> { joins(:befriendee).where(:users => { :status => %w[active confirmed] }) }
  has_many :friends, :through => :friendships, :source => :befriendee
-  has_many :tokens, :class_name => "UserToken"
+  has_many :tokens, :class_name => "UserToken", :dependent => :destroy
  has_many :preferences, :class_name => "UserPreference"
  has_many :changesets, -> { order(:created_at => :desc) }
  has_many :changeset_comments, :foreign_key => :author_id