From 216d14bb25c091753eb83b539f0de8bc9d6a6d84 Mon Sep 17 00:00:00 2001
From: Jean-Romain Garnier <jean-romain.garnier@supelec.fr>
Date: Fri, 17 Apr 2020 20:12:12 +0000
Subject: [PATCH] Ensure confirmation email tokens are deleted if no longer
 valid

---
 users/migrations/0087_request_email.py | 20 ++++++++++++++++++++
 users/models.py                        |  6 ++++++
 2 files changed, 26 insertions(+)
 create mode 100644 users/migrations/0087_request_email.py

diff --git a/users/migrations/0087_request_email.py b/users/migrations/0087_request_email.py
new file mode 100644
index 00000000..3cb8d792
--- /dev/null
+++ b/users/migrations/0087_request_email.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.28 on 2020-04-17 20:10
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0086_user_email_change_date'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='request',
+            name='email',
+            field=models.EmailField(blank=True, max_length=254, null=True),
+        ),
+    ]
diff --git a/users/models.py b/users/models.py
index 2c71c466..8431b0b3 100755
--- a/users/models.py
+++ b/users/models.py
@@ -831,10 +831,15 @@ class User(
     def confirm_email_address_mail(self, request):
         """Prend en argument un request, envoie un mail pour
         confirmer l'adresse"""
+        # Delete all older requests for this user, that aren't for this email
+        filter = Q(user=self) & Q(type=Request.EMAIL) & ~Q(email=self.email)
+        Request.objects.filter(filter).delete()
+
         # Create the request and send the email
         req = Request()
         req.type = Request.EMAIL
         req.user = self
+        req.email = self.email
         req.save()
 
         template = loader.get_template("users/email_confirmation_request")
@@ -1873,6 +1878,7 @@ class Request(models.Model):
     type = models.CharField(max_length=2, choices=TYPE_CHOICES)
     token = models.CharField(max_length=32)
     user = models.ForeignKey("User", on_delete=models.CASCADE)
+    email = models.EmailField(blank=True, null=True)
     created_at = models.DateTimeField(auto_now_add=True, editable=False)
     expires_at = models.DateTimeField()