diff --git a/redash/handlers/users.py b/redash/handlers/users.py index 518684a71e..2d2feab9cb 100644 --- a/redash/handlers/users.py +++ b/redash/handlers/users.py @@ -13,7 +13,7 @@ require_permission_or_owner, require_admin from redash.handlers.base import BaseResource, require_fields, get_object_or_404, paginate, order_results as _order_results -from redash.authentication.account import invite_link_for_user, send_invite_email, send_password_reset_email +from redash.authentication.account import invite_link_for_user, send_invite_email, send_password_reset_email, send_verify_email from redash.settings import parse_boolean @@ -225,10 +225,17 @@ def post(self, user_id): if domain.lower() in blacklist or domain.lower() == 'qq.com': abort(400, message='Bad email address.') + email_changed = 'email' in params and params['email'] != user.email + if email_changed: + user.is_email_verified = False + try: self.update_model(user, params) models.db.session.commit() + if email_changed: + send_verify_email(user, self.current_org) + # The user has updated their email or password. This should invalidate all _other_ sessions, # forcing them to log in again. Since we don't want to force _this_ session to have to go # through login again, we call `login_user` in order to update the session with the new identity details. diff --git a/tests/handlers/test_users.py b/tests/handlers/test_users.py index 240a6ce4df..e00bc55e7b 100644 --- a/tests/handlers/test_users.py +++ b/tests/handlers/test_users.py @@ -202,6 +202,12 @@ def test_returns_200_for_non_admin_changing_his_own(self): rv = self.make_request('post', "/api/users/{}".format(self.factory.user.id), data={"name": "New Name"}) self.assertEqual(rv.status_code, 200) + def test_marks_email_as_not_verified_when_changed(self): + user = self.factory.user + user.is_email_verified = True + rv = self.make_request('post', "/api/users/{}".format(user.id), data={"email": "donald@trump.biz"}) + self.assertFalse(user.is_email_verified) + def test_returns_200_for_admin_changing_other_user(self): admin = self.factory.create_admin()