From c68f2fe46103ac8599865efa6c27acbb6ca00975 Mon Sep 17 00:00:00 2001 From: Alan Guo Xiang Tan Date: Thu, 12 Aug 2021 13:12:43 +0800 Subject: [PATCH] SECURITY: Destroy `EmailToken` when `EmailChangeRequest` is destroyed (#13950) (#14024) Co-authored-by: jbrw --- app/models/email_change_request.rb | 4 ++-- spec/requests/users_controller_spec.rb | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/app/models/email_change_request.rb b/app/models/email_change_request.rb index 60b0d04183..74bb307bea 100644 --- a/app/models/email_change_request.rb +++ b/app/models/email_change_request.rb @@ -1,8 +1,8 @@ # frozen_string_literal: true class EmailChangeRequest < ActiveRecord::Base - belongs_to :old_email_token, class_name: 'EmailToken' - belongs_to :new_email_token, class_name: 'EmailToken' + belongs_to :old_email_token, class_name: 'EmailToken', dependent: :destroy + belongs_to :new_email_token, class_name: 'EmailToken', dependent: :destroy belongs_to :user belongs_to :requested_by, class_name: "User", foreign_key: :requested_by_user_id diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 5fa9eb0a71..41f3334d27 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -2922,6 +2922,19 @@ describe UsersController do expect(user.user_emails.pluck(:email)).to contain_exactly(user_email.email, other_email.email) expect(user.email_change_requests).to contain_exactly(request_1) end + + it "can destroy associated email tokens" do + new_email = 'new.n.cool@example.com' + updater = EmailUpdater.new(guardian: user.guardian, user: user) + + expect { updater.change_to(new_email) } + .to change { user.email_tokens.count }.by(1) + + expect { delete "/u/#{user.username}/preferences/email.json", params: { email: new_email } } + .to change { user.email_tokens.count }.by(-1) + + expect(user.email_tokens.first.email).to eq(user.email) + end end describe '#is_local_username' do