From: Tom Hughes <tom@compton.nu>
Date: Tue, 29 Sep 2020 12:47:40 +0000 (+0100)
Subject: Delete any outstanding tokens when a user changes their email
X-Git-Tag: live~1876
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/c694c78c9a9fbc46f71519546cddc15f70835d20

Delete any outstanding tokens when a user changes their email

This ensures that any tokens previously sent to the old email address
can no longer be used if somebody were able to access that address.
---

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index aa115a228..e5a57f47e 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -366,7 +366,7 @@ class UsersController < ApplicationController
         else
           flash[:errors] = current_user.errors
         end
-        token.destroy
+        current_user.tokens.delete_all
         session[:user] = current_user.id
         redirect_to :action => "account", :display_name => current_user.display_name
       elsif token
diff --git a/app/models/user.rb b/app/models/user.rb
index 0bff6868a..65c70d2c7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -56,7 +56,7 @@ class User < ApplicationRecord
   has_many :sent_messages, -> { where(:from_user_visible => true).order(:sent_on => :desc).preload(:sender, :recipient) }, :class_name => "Message", :foreign_key => :from_user_id
   has_many :friendships, -> { joins(:befriendee).where(:users => { :status => %w[active confirmed] }) }
   has_many :friends, :through => :friendships, :source => :befriendee
-  has_many :tokens, :class_name => "UserToken"
+  has_many :tokens, :class_name => "UserToken", :dependent => :destroy
   has_many :preferences, :class_name => "UserPreference"
   has_many :changesets, -> { order(:created_at => :desc) }
   has_many :changeset_comments, :foreign_key => :author_id