Commit 960116ed authored by Nikita Karetnikov's avatar Nikita Karetnikov Committed by Bryan Richter

Require a user to login before they can verify their email

This is not as bad as the password thing because the hash is
(implicitly) checked, but it still doesn't make sense to allow others
to verify your email.  So we shouldn't allow that.

Also, call `runDB` once, so it's done as a single transaction.
Signed-off-by: default avatarBryan Richter <>
parent 07d15d16
......@@ -417,9 +417,11 @@ postUserEstEligibleR user_id = do
getUserVerifyEmailR :: UserId -> Text -> Handler Html
getUserVerifyEmailR user_id hash = do
ver_uri <- getUrlRender <*> (pure $ UserVerifyEmailR user_id hash)
mver_email <- runDB $ fetchVerEmail ver_uri user_id
muser_email <- runDB $ fetchUserEmail user_id
void $ checkEditUser user_id
ver_uri <- getUrlRender <*> (pure $ UserVerifyEmailR user_id hash)
(mver_email, muser_email) <- runDB $ (,)
<$> fetchVerEmail ver_uri user_id
<*> fetchUserEmail user_id
if | Maybe.isNothing mver_email -> notFound
| Maybe.isNothing muser_email -> do
alertDanger $ "Failed to verify the email address since none is "
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment