Delete any outstanding tokens when a user changes their email

This ensures that any tokens previously sent to the old email address
can no longer be used if somebody were able to access that address.

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index aa115a2282fee7b3072f73f46b07cb94fe7f3f6b..e5a57f47ef85439262c727db842570ede3d6a2b6 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -366,7 +366,7 @@ class UsersController < ApplicationController
         else
           flash[:errors] = current_user.errors
         end
-        token.destroy
+        current_user.tokens.delete_all
         session[:user] = current_user.id
         redirect_to :action => "account", :display_name => current_user.display_name
       elsif token

diff --git a/app/models/user.rb b/app/models/user.rb
index 0bff6868a31ef45e9de31867049c12630a83fc12..65c70d2c7a4f8e097ae1277a1e4835a8ab032d1c 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -56,7 +56,7 @@ class User < ApplicationRecord
   has_many :sent_messages, -> { where(:from_user_visible => true).order(:sent_on => :desc).preload(:sender, :recipient) }, :class_name => "Message", :foreign_key => :from_user_id
   has_many :friendships, -> { joins(:befriendee).where(:users => { :status => %w[active confirmed] }) }
   has_many :friends, :through => :friendships, :source => :befriendee
-  has_many :tokens, :class_name => "UserToken"
+  has_many :tokens, :class_name => "UserToken", :dependent => :destroy
   has_many :preferences, :class_name => "UserPreference"
   has_many :changesets, -> { order(:created_at => :desc) }
   has_many :changeset_comments, :foreign_key => :author_id