paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

confirm_email_change: Use redirect-to-POST trick.

Browse Source 
Just like with signup confirmation links, we shouldn't trigger email
change based on a GET to the confirmation URL - POST should be required.

So upon GET of the confirmation link, we serve a form which will
immediately be POSTed by JS code to finalize the email change.
This commit is contained in:
Mateusz Mandera
2025-06-25 03:05:03 +08:00
committed by Tim Abbott
parent 32daab11c5
commit 2bfefe2ebd
11 changed files with 95 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
templates/confirmation/confirm_preregistrationuser.html
View File

@@ -1,5 +1,5 @@
{% extends "zerver/base.html" %}
{% set entrypoint = "confirm-preregistrationuser" %}
{% set entrypoint = "redirect-to-post" %}
{% block title %}
<title>{{ _("Confirming your email address") }} | Zulip</title>
@@ -13,7 +13,7 @@ requisite context to make a useful signup form. Therefore, we immediately
post to another view which executes in our code to produce the desired form.
#}
<form id="register" action="{{ registration_url }}" method="post">
<form id="register" class="redirect-to-post-form" action="{{ registration_url }}" method="post">
{{ csrf_input }}
<input type="hidden" value="{{ key }}" name="key"/>
<input type="hidden" value="1" name="from_confirmation"/>

28
templates/confirmation/redirect_to_post.html Normal file
View File

@@ -0,0 +1,28 @@
{% extends "zerver/base.html" %}
{% set entrypoint = "redirect-to-post" %}
{% block title %}
<title>{{ _("Confirming your email address") }} | Zulip</title>
{% endblock %}
{% block content %}
{#
The purpose of this is to be an intermediate page, served upon GET requests
to confirmation links. We simply serve a form which combined with some automatically
executed JavaScript code will immediately POST the confirmation key to the intended
endpoint.
This allows us to avoid triggering the action which is being confirmed via a mere
GET request.
This largely duplicates functionality and code with confirm_preregistrationuser.html.
We should find a way to to unify these.
#}
<form id="redirect-to-post-form" class="redirect-to-post-form" action="{{ target_url }}" method="post">
{{ csrf_input }}
<input type="hidden" value="{{ key }}" name="key"/>
</form>
{% endblock %}