Always invalidate all user email tokens

Reported by B. Dhiyaneshwaran of Geek Freak.
flarum · Nov 28, 2018 · 66607a5 · 66607a5
1 parent 546b4f0
commit 66607a5
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/src/User/Command/ConfirmEmailHandler.php b/src/User/Command/ConfirmEmailHandler.php
@@ -53,7 +53,8 @@ public function handle(ConfirmEmail $command)
         $user->save();
         $this->dispatchEventsFor($user);
 
-        $token->delete();
+        // Delete *all* tokens for the user, in case other ones were sent first
+        $user->emailTokens()->delete();
 
         return $user;
     }

diff --git a/src/User/User.php b/src/User/User.php
@@ -614,6 +614,16 @@ public function notifications()
         return $this->hasMany('Flarum\Notification\Notification');
     }
 
+    /**
+     * Define the relationship with the user's email tokens.
+     *
+     * @return \Illuminate\Database\Eloquent\Relations\HasMany
+     */
+    public function emailTokens()
+    {
+        return $this->hasMany(EmailToken::class);
+    }
+
     /**
      * Define the relationship with the permissions of all of the groups that
      * the user is in.