remove user.new_email and use user_token.data instead

Author: amnah

controllers/AuthController.php

@@ -113,8 +113,10 @@ protected function attemptLogin($client)
     {
         /** @var \amnah\yii2\user\models\User $user */
         /** @var \amnah\yii2\user\models\UserAuth $userAuth */
+        /** @var \amnah\yii2\user\models\UserToken $userToken */
         $user = Yii::$app->getModule("user")->model("User");
         $userAuth = Yii::$app->getModule("user")->model("UserAuth");
+        $userToken = Yii::$app->getModule("user")->model("UserToken");
 
         // attempt to find userAuth in database by id and name
         $attributes = $client->getUserAttributes();
@@ -123,9 +125,9 @@ protected function attemptLogin($client)
             "provider_id" => (string)$attributes["id"],
         ]);
         if ($userAuth) {
-            $user = $user::findOne($userAuth->user_id);
 
-            // check if user is banned
+            // check if user is banned, otherwise log in
+            $user = $user::findOne($userAuth->user_id);
             if ($user && $user->banned_at) {
                 return false;
             }
@@ -143,9 +145,13 @@ protected function attemptLogin($client)
         // attempt to find user by email
         if (!empty($user["email"])) {
 
-            // check if any user has `new_email` set and clear it
+            // check if any user has has tried to change their email
+            // if so, delete it
             $email = trim($user["email"]);
-            $this->clearNewEmail($email);
+            $userToken = $userToken::findByData($email, $userToken::TYPE_EMAIL_CHANGE);
+            if ($userToken) {
+                $userToken->delete();
+            }
 
             // find user and create user provider for match
             $user = $user::findOne(["email" => $email]);
@@ -160,30 +166,6 @@ protected function attemptLogin($client)
         return false;
     }
 
-    /**
-     * Check to see if any user has changed their email but not yet confirmed it. It will
-     * thus be in `user.new_email`, so we need to clear it in case they try to actually
-     * confirm the change (which would result in an unique constraint error for email)
-     * @param string $email
-     */
-    protected function clearNewEmail($email)
-    {
-        /** @var \amnah\yii2\user\models\User $user */
-        /** @var \amnah\yii2\user\models\UserToken $userToken */
-        $user = Yii::$app->getModule("user")->model("User");
-        $userToken = Yii::$app->getModule("user")->model("UserToken");
-
-        // attempt to find user with new_email. remove it and the associated userToken
-        $user = $user::findOne(["new_email" => $email]);
-        if ($user) {
-            $user->clearNewEmail();
-            $userToken = $userToken::findByUser($user->id, $userToken::TYPE_EMAIL_CHANGE);
-            if ($userToken) {
-                $userToken->delete();
-            }
-        }
-    }
-
     /**
      * Register a new user using client attributes and then associate userAuth
      * @param \yii\authclient\BaseClient $client

controllers/DefaultController.php

@@ -171,8 +171,6 @@ protected function afterRegister($user)
 
         // check if we have a userToken type to process, or just log user in directly
         if ($userTokenType) {
-
-            // generate userToken and send email
             $userToken = $userToken::generate($user->id, $userTokenType);
             if (!$numSent = $user->sendEmailConfirmation($userToken)) {
 
@@ -203,12 +201,13 @@ public function actionConfirm($token)
             //   for example, user registered another account before confirming change of email
             $user = Yii::$app->getModule("user")->model("User");
             $user = $user::findOne($userToken->user_id);
-            $email = $user->new_email ?: $user->email;;
-            if ($user->confirm()) {
+            $newEmail = $userToken->data;
+            if ($user->confirm($newEmail)) {
                 $success = true;
             }
 
-            // delete token either way
+            // set email and delete token
+            $email = $newEmail ?: $user->email;
             $userToken->delete();
         }
 
@@ -235,13 +234,13 @@ public function actionAccount()
         }
 
         // validate for normal request
+        $userToken = Yii::$app->getModule("user")->model("UserToken");
         if ($loadedPost && $user->validate()) {
 
-            // generate userToken and send email if user changed his email
-            if (Yii::$app->getModule("user")->emailChangeConfirmation && $user->checkAndPrepEmailChange()) {
-
-                $userToken = Yii::$app->getModule("user")->model("UserToken");
-                $userToken = $userToken::generate($user->id, $userToken::TYPE_EMAIL_CHANGE);
+            // check if user changed his email
+            $newEmail = $user->checkEmailChange();
+            if ($newEmail) {
+                $userToken = $userToken::generate($user->id, $userToken::TYPE_EMAIL_CHANGE, $newEmail);
                 if (!$numSent = $user->sendEmailConfirmation($userToken)) {
 
                     // handle email error
@@ -253,9 +252,11 @@ public function actionAccount()
             $user->save(false);
             Yii::$app->session->setFlash("Account-success", Yii::t("user", "Account updated"));
             return $this->refresh();
+        } else {
+            $userToken = $userToken::findByUser($user->id, $userToken::TYPE_EMAIL_CHANGE);
         }
 
-        return $this->render("account", compact("user"));
+        return $this->render("account", compact("user", "userToken"));
     }
 
     /**
@@ -338,9 +339,6 @@ public function actionCancel()
         $userToken = Yii::$app->getModule("user")->model("UserToken");
         $userToken = $userToken::findByUser($user->id, $userToken::TYPE_EMAIL_CHANGE);
         if ($userToken) {
-
-            // clear new_email, delete userToken, and set flash message
-            $user->clearNewEmail();
             $userToken->delete();
             Yii::$app->session->setFlash("Cancel-success", Yii::t("user", "Email change cancelled"));
         }

migrations/m150214_044831_init_user.php

@@ -25,7 +25,6 @@ public function safeUp()
             'role_id' => Schema::TYPE_INTEGER . ' not null',
             'status' => Schema::TYPE_SMALLINT . ' not null',
             'email' => Schema::TYPE_STRING . ' null default null',
-            'new_email' => Schema::TYPE_STRING . ' null default null',
             'username' => Schema::TYPE_STRING . ' null default null',
             'password' => Schema::TYPE_STRING . ' null default null',
             'auth_key' => Schema::TYPE_STRING . ' null default null',
@@ -43,6 +42,7 @@ public function safeUp()
             'user_id' => Schema::TYPE_INTEGER . ' not null',
             'type' => Schema::TYPE_SMALLINT . ' not null',
             'token' => Schema::TYPE_STRING . ' not null',
+            'data' => Schema::TYPE_STRING . ' null default null',
             'created_at' => Schema::TYPE_TIMESTAMP . ' null default null',
             'expired_at' => Schema::TYPE_TIMESTAMP . ' null default null',
         ], $tableOptions);

models/User.php

@@ -17,7 +17,6 @@
  * @property string $role_id
  * @property integer $status
  * @property string $email
- * @property string $new_email
  * @property string $username
  * @property string $password
  * @property string $auth_key
@@ -136,7 +135,6 @@ public function attributeLabels()
             'role_id' => Yii::t('user', 'Role ID'),
             'status' => Yii::t('user', 'Status'),
             'email' => Yii::t('user', 'Email'),
-            'new_email' => Yii::t('user', 'New Email'),
             'username' => Yii::t('user', 'Username'),
             'password' => Yii::t('user', 'Password'),
             'auth_key' => Yii::t('user', 'Auth Key'),
@@ -334,30 +332,31 @@ public function setRegisterAttributes($roleId, $userIp, $status = null)
     }
 
     /**
-     * Check and prepare for email change
-     * @return bool True if user set a `new_email`
+     * Check for email change
+     * @return string|bool
      */
-    public function checkAndPrepEmailChange()
+    public function checkEmailChange()
     {
-        // check if user is removing email address (only if Module::$requireEmail = false)
-        if (trim($this->email) === "") {
+        // check if user didn't change email
+        if ($this->email == $this->getOldAttribute("email")) {
             return false;
         }
 
-        // check for change in email
-        if ($this->email != $this->getOldAttribute("email")) {
-
-            // change status
-            $this->status = static::STATUS_UNCONFIRMED_EMAIL;
-
-            // set `new_email` attribute and restore old one
-            $this->new_email = $this->email;
-            $this->email = $this->getOldAttribute("email");
+        // check if we need to confirm email change
+        if (!Yii::$app->getModule("user")->emailChangeConfirmation) {
+            return false;
+        }
 
-            return true;
+        // check if user is removing email address (only valid if Module::$requireEmail = false)
+        if (!$this->email) {
+            return false;
         }
 
-        return false;
+        // update status and email before returning new email
+        $newEmail = $this->email;
+        $this->status = static::STATUS_UNCONFIRMED_EMAIL;
+        $this->email = $this->getOldAttribute("email");
+        return $newEmail;
     }
 
     /**
@@ -371,42 +370,29 @@ public function updateLoginMeta()
         return $this->save(false, ["logged_in_ip", "logged_in_at"]);
     }
 
-    /**
-     * Clear new_email field
-     * @param bool $save
-     * @return static
-     */
-    public function clearNewEmail($save = true)
-    {
-        $this->new_email = null;
-        if ($save) {
-            $this->save(false, ["new_email"]);
-        }
-        return $this;
-    }
-
     /**
      * Confirm user email
+     * @param string $newEmail
      * @return bool
      */
-    public function confirm()
+    public function confirm($newEmail)
     {
         // update status
         $this->status = static::STATUS_ACTIVE;
 
-        // check new_email if set and check if another user already has it
+        // process $newEmail from a userToken
+        //   check if another user already has that email
         $success = true;
-        if ($this->new_email) {
-            $checkUser = static::findOne(["email" => $this->new_email]);
+        if ($newEmail) {
+            $checkUser = static::findOne(["email" => $newEmail]);
             if ($checkUser) {
                 $success = false;
             } else {
-                $this->email = $this->new_email;
+                $this->email = $newEmail;
             }
-            $this->new_email = null;
         }
 
-        $this->save(false, ["email", "new_email", "status"]);
+        $this->save(false, ["email", "status"]);
         return $success;
     }
 
@@ -479,7 +465,7 @@ public function sendEmailConfirmation($userToken)
         // send email
         $user = $this;
         $profile = $user->profile;
-        $email = $user->new_email ?: $user->email;
+        $email = $userToken->data ?: $user->email;
         $subject = Yii::$app->id . " - " . Yii::t("user", "Email Confirmation");
         $message = $mailer->compose('confirmEmail', compact("subject", "user", "profile", "userToken"))
             ->setTo($email)

models/UserToken.php

@@ -45,6 +45,7 @@ public function attributeLabels()
             'user_id' => Yii::t('user', 'User ID'),
             'type' => Yii::t('user', 'Type'),
             'token' => Yii::t('user', 'Token'),
+            'data' => Yii::t('user', 'Data'),
             'created_at' => Yii::t('user', 'Created At'),
             'expired_at' => Yii::t('user', 'Expired At'),
         ];
@@ -79,10 +80,11 @@ public function getUser()
      * Generate/reuse a userToken
      * @param int $userId
      * @param int $type
+     * @param string $data
      * @param string $expireTime
      * @return static
      */
-    public static function generate($userId, $type, $expireTime = null)
+    public static function generate($userId, $type, $data = null, $expireTime = null)
     {
         // attempt to find existing record
         // otherwise create new
@@ -95,6 +97,7 @@ public static function generate($userId, $type, $expireTime = null)
         // set/update data
         $model->user_id = $userId;
         $model->type = $type;
+        $model->data = $data;
         $model->created_at = date("Y-m-d H:i:s");
         $model->expired_at = $expireTime;
         $model->token = Yii::$app->security->generateRandomString();
@@ -103,15 +106,16 @@ public static function generate($userId, $type, $expireTime = null)
     }
 
     /**
-     * Find an active userToken by userId
-     * @param int $userId
+     * Find a userToken by specified field/value
+     * @param string $field
+     * @param string $value
      * @param array|int $type
      * @param bool $checkExpiration
      * @return static
      */
-    public static function findByUser($userId, $type, $checkExpiration = true)
+    public static function findBy($field, $value, $type, $checkExpiration)
     {
-        $query = static::find()->where(["user_id" => $userId, "type" => $type ]);
+        $query = static::find()->where([$field => $value, "type" => $type ]);
         if ($checkExpiration) {
             $now = date("Y-m-d H:i:s");
             $query->andWhere("([[expired_at]] >= '$now' or [[expired_at]] is NULL)");
@@ -120,19 +124,38 @@ public static function findByUser($userId, $type, $checkExpiration = true)
     }
 
     /**
-     * Find an active userToken by token
+     * Find a userToken by userId
+     * @param int $userId
+     * @param array|int $type
+     * @param bool $checkExpiration
+     * @return static
+     */
+    public static function findByUser($userId, $type, $checkExpiration = true)
+    {
+        return static::findBy("user_id", $userId, $type, $checkExpiration);
+    }
+
+    /**
+     * Find a userToken by token
      * @param string $token
      * @param array|int $type
      * @param bool $checkExpiration
      * @return static
      */
     public static function findByToken($token, $type, $checkExpiration = true)
     {
-        $query = static::find()->where(["token" => $token, "type" => $type ]);
-        if ($checkExpiration) {
-            $now = date("Y-m-d H:i:s");
-            $query->andWhere("([[expired_at]] >= '$now' or [[expired_at]] is NULL)");
-        }
-        return $query->one();
+        return static::findBy("token", $token, $type, $checkExpiration);
+    }
+
+    /**
+     * Find a userToken by data
+     * @param string $data
+     * @param array|int $type
+     * @param bool $checkExpiration
+     * @return static
+     */
+    public static function findByData($data, $type, $checkExpiration = true)
+    {
+        return static::findBy("data", $data, $type, $checkExpiration);
     }
 }

models/forms/ForgotForm.php

@@ -92,7 +92,7 @@ public function sendForgotEmail()
 
             // create userToken
             $userToken = Yii::$app->getModule("user")->model("UserToken");
-            $userToken = $userToken::generate($user->id, $userToken::TYPE_PASSWORD_RESET, $expireTime);
+            $userToken = $userToken::generate($user->id, $userToken::TYPE_PASSWORD_RESET, null, $expireTime);
 
             // modify view path to module views
             $mailer = Yii::$app->mailer;