From 0eea7a2600d590810e151532454485df52deafcd Mon Sep 17 00:00:00 2001
From: rimu <3310831+rimu@users.noreply.github.com>
Date: Sat, 25 May 2024 22:37:17 +1200
Subject: [PATCH] when email changes, verify new email #78

---
 app/auth/routes.py | 4 +++-
 app/user/routes.py | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/auth/routes.py b/app/auth/routes.py
index 55d0b464..df616432 100644
--- a/app/auth/routes.py
+++ b/app/auth/routes.py
@@ -210,15 +210,17 @@ def verify_email(token):
                 flash('You have been banned.', 'error')
                 return redirect(url_for('main.index'))
             if user.verified:   # guard against users double-clicking the link in the email
+                flash(_('Thank you for verifying your email address.'))
                 return redirect(url_for('main.index'))
             user.verified = True
             db.session.commit()
-            if not user.waiting_for_approval():
+            if not user.waiting_for_approval() and user.private_key is None:    # only finalize user set up if this is a brand new user. People can also end up doing this process when they change their email address in which case we DO NOT want to reset their keys, etc!
                 finalize_user_setup(user)
             else:
                 flash(_('Thank you for verifying your email address.'))
         else:
             flash(_('Email address validation failed.'), 'error')
+            return redirect(url_for('main.index'))
         if user.waiting_for_approval():
             return redirect(url_for('auth.please_wait'))
         else:
diff --git a/app/user/routes.py b/app/user/routes.py
index 5f90c92d..a530d12c 100644
--- a/app/user/routes.py
+++ b/app/user/routes.py
@@ -107,10 +107,12 @@ def edit_profile(actor):
     if current_user.id != user.id:
         abort(401)
     form = ProfileForm()
+    old_email = user.email
     if form.validate_on_submit() and not current_user.banned:
         current_user.title = form.title.data
+        current_user.email = form.email.data.strip()
         # Email address has changed - request verification of new address
-        if form.email.data.strip() != current_user.email:
+        if form.email.data.strip() != old_email:
             current_user.verified = False
             verification_token = random_token(16)
             current_user.verification_token = verification_token