mirror of
https://github.com/discourse/discourse.git
synced 2025-01-19 03:22:46 +08:00
fa8cd629f1
This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
51 lines
1.6 KiB
Ruby
51 lines
1.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class EmailChangeRequest < ActiveRecord::Base
|
|
belongs_to :user
|
|
belongs_to :old_email_token, class_name: 'EmailToken', dependent: :destroy
|
|
belongs_to :new_email_token, class_name: 'EmailToken', dependent: :destroy
|
|
belongs_to :requested_by, class_name: "User", foreign_key: :requested_by_user_id
|
|
|
|
validates :new_email, presence: true, format: { with: EmailValidator.email_regex }
|
|
|
|
def self.states
|
|
@states ||= Enum.new(authorizing_old: 1, authorizing_new: 2, complete: 3)
|
|
end
|
|
|
|
def self.find_by_new_token(token)
|
|
EmailChangeRequest
|
|
.joins("INNER JOIN email_tokens ON email_tokens.id = email_change_requests.new_email_token_id")
|
|
.where("email_tokens.token_hash = ?", EmailToken.hash_token(token))
|
|
.last
|
|
end
|
|
|
|
def requested_by_admin?
|
|
self.requested_by&.admin? && !self.requested_by_self?
|
|
end
|
|
|
|
def requested_by_self?
|
|
self.requested_by_user_id == self.user_id
|
|
end
|
|
end
|
|
|
|
# == Schema Information
|
|
#
|
|
# Table name: email_change_requests
|
|
#
|
|
# id :integer not null, primary key
|
|
# user_id :integer not null
|
|
# old_email :string
|
|
# new_email :string not null
|
|
# old_email_token_id :integer
|
|
# new_email_token_id :integer
|
|
# change_state :integer not null
|
|
# created_at :datetime not null
|
|
# updated_at :datetime not null
|
|
# requested_by_user_id :integer
|
|
#
|
|
# Indexes
|
|
#
|
|
# idx_email_change_requests_on_requested_by (requested_by_user_id)
|
|
# index_email_change_requests_on_user_id (user_id)
|
|
#
|