when email changes, verify new email #78

app/auth/routes.py

@@ -210,15 +210,17 @@ def verify_email(token):
                 flash('You have been banned.', 'error')
                 return redirect(url_for('main.index'))
             if user.verified:   # guard against users double-clicking the link in the email
+                flash(_('Thank you for verifying your email address.'))
                 return redirect(url_for('main.index'))
             user.verified = True
             db.session.commit()
-            if not user.waiting_for_approval():
+            if not user.waiting_for_approval() and user.private_key is None:    # only finalize user set up if this is a brand new user. People can also end up doing this process when they change their email address in which case we DO NOT want to reset their keys, etc!
                 finalize_user_setup(user)
             else:
                 flash(_('Thank you for verifying your email address.'))
         else:
             flash(_('Email address validation failed.'), 'error')
+            return redirect(url_for('main.index'))
         if user.waiting_for_approval():
             return redirect(url_for('auth.please_wait'))
         else:

app/user/routes.py

@@ -107,10 +107,12 @@ def edit_profile(actor):
     if current_user.id != user.id:
         abort(401)
     form = ProfileForm()
+    old_email = user.email
     if form.validate_on_submit() and not current_user.banned:
         current_user.title = form.title.data
+        current_user.email = form.email.data.strip()
         # Email address has changed - request verification of new address
-        if form.email.data.strip() != current_user.email:
+        if form.email.data.strip() != old_email:
             current_user.verified = False
             verification_token = random_token(16)
             current_user.verification_token = verification_token