If user is pending it means they have not verified email yet

Added better checking on re use of consumed verification link.
2026-02-05 10:53:28 -05:00 · 2016-03-29 12:13:36 +01:00
parent 3f73b4bcdb
commit 352f169fb1
4 changed files with 52 additions and 23 deletions
--- a/app/main/views/sign_in.py
+++ b/app/main/views/sign_in.py
@@ -31,6 +31,9 @@ def sign_in():
    if form.validate_on_submit():
        user = user_api_client.get_user_by_email_or_none(form.email_address.data)
        user = _get_and_verify_user(user, form.password.data)
+        if user and user.state == 'pending':
+            flash("You haven't verified your email or mobile number yet.")
+            return redirect(url_for('main.sign_in'))
        if user:
            # Remember me login
            if not login_fresh() and \
@@ -45,9 +48,7 @@ def sign_in():
                    return redirect(url_for('main.choose_service'))

            session['user_details'] = {"email": user.email_address, "id": user.id}
-            if user.state == 'pending':
-                return redirect(url_for('.verify'))
-            elif user.is_active():
+            if user.is_active():
                user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
                if request.args.get('next'):
                    return redirect(url_for('.two_factor', next=request.args.get('next')))
--- a/app/main/views/verify.py
+++ b/app/main/views/verify.py
@@ -6,7 +6,8 @@ from flask import (
    session,
    url_for,
    current_app,
-    flash
+    flash,
+    abort
 )

 from itsdangerous import SignatureExpired
@@ -55,10 +56,17 @@ def verify_email(token):

        token_data = json.loads(token_data)
        verified = user_api_client.check_verify_code(token_data['user_id'], token_data['secret_code'], 'email')
+        user = user_api_client.get_user(token_data['user_id'])
+        if not user:
+            abort(404)
+
+        if user.is_active():
+            flash("You have already verified your email address.")
+            return redirect(url_for('main.sign_in'))
+
+        session['user_details'] = {"email": user.email_address, "id": user.id}
        if verified[0]:
-            user = user_api_client.get_user(token_data['user_id'])
            user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
-            session['user_details'] = {"email": user.email_address, "id": user.id}
            return redirect('verify')
        else:
            if verified[1] == 'Code has expired':