mirror of https://github.com/zulip/zulip.git
0e2691815e
The .status value of EmailChangeStatus was not being looked at anywhere to prevent re-use of email change confirmation links. This is not a security issue, since the EmailChangeStatus object has a fixed value for the new_email, while the confirmation link has expiry time of 1 day, which prevents any reasonable malicious scenarios. We fix this by making get_object_from_key look at confirmation.content_object.status - which applies generally to all confirmations where the attached object has the .status attribute. This is desired, because we never want to successfully get_object_from_key an object that has already been used or reused. This makes the prereg_user.status check in check_prereg_key redundant so it can be deleted. |
||
|---|---|---|
| .. | ||
| management | ||
| migrations | ||
| CHANGELOG.txt | ||
| LICENSE.txt | ||
| README.txt | ||
| __init__.py | ||
| models.py | ||
| settings.py | ||
README.txt
=================== Django Confirmation =================== This is a generic object confirmation system for Django applications. For installation instructions, see the file "INSTALL.txt" in this directory; for instructions on how to use this application, and on what it provides, see the file "overview.txt" in the "docs/" directory.