user_settings: Add auth check before confirm_email_change.

This isn't strictly necessary, but adds a little bit of extra security to the overall email change flow.
2025-11-04 05:53:43 +00:00 · 2017-03-04 13:46:48 +05:30
parent 35f854a2fd
commit ec77aa0dfb
2 changed files with 16 additions and 1 deletions
--- a/zerver/tests/test_email_change.py
+++ b/zerver/tests/test_email_change.py
@@ -47,10 +47,22 @@ class EmailChangeTestCase(ZulipTestCase):
        self.assertEqual(response.status_code, 200)
        self.assertIn("Whoops", response.content.decode('utf8'))

+    def test_email_change_when_not_logging_in(self):
+        # type: () -> None
+        key = generate_key()
+        with self.assertRaises(EmailChangeConfirmation.DoesNotExist):
+            url = EmailChangeConfirmation.objects.get_activation_url(key)
+
+        url = EmailChangeConfirmation.objects.get_activation_url(
+            key, 'testserver')
+        response = self.client_get(url)
+        self.assertEqual(response.status_code, 302)
+
    def test_confirm_email_change_when_time_exceeded(self):
        # type: () -> None
        old_email = 'hamlet@zulip.com'
        new_email = 'hamlet-new@zulip.com'
+        self.login('hamlet@zulip.com')
        user_profile = get_user_profile_by_email(old_email)
        obj = EmailChangeStatus.objects.create(new_email=new_email,
                                               old_email=old_email,
@@ -70,6 +82,7 @@ class EmailChangeTestCase(ZulipTestCase):
        # type: () -> None
        old_email = 'hamlet@zulip.com'
        new_email = 'hamlet-new@zulip.com'
+        self.login('hamlet@zulip.com')
        user_profile = get_user_profile_by_email(old_email)
        obj = EmailChangeStatus.objects.create(new_email=new_email,
                                               old_email=old_email,
--- a/zerver/views/user_settings.py
+++ b/zerver/views/user_settings.py
@@ -11,7 +11,8 @@ from django.shortcuts import redirect, render
 from django.template.loader import render_to_string
 from django.urls import reverse

-from zerver.decorator import authenticated_json_post_view, has_request_variables, REQ
+from zerver.decorator import authenticated_json_post_view, has_request_variables, \
+    zulip_login_required, REQ
 from zerver.lib.actions import do_change_password, \
    do_change_enable_desktop_notifications, \
    do_change_enter_sends, do_change_enable_sounds, \
@@ -34,6 +35,7 @@ from zerver.models import UserProfile, Realm, name_changes_disabled, \
    EmailChangeStatus
 from confirmation.models import EmailChangeConfirmation

+@zulip_login_required
 def confirm_email_change(request, confirmation_key):
    # type: (HttpRequest, str) -> HttpResponse
    confirmation_key = confirmation_key.lower()