From e9c88ea176387cad6b5188ec7c6061eb78d765fd Mon Sep 17 00:00:00 2001
From: Omer Lachish <omer@rauchy.net>
Date: Wed, 27 Feb 2019 12:17:20 +0200
Subject: [PATCH] Verify address when users change their e-mail (#3504)

* re-verify e-mail address on change

* send verification e-mail to the new address
---
 redash/handlers/users.py     | 9 ++++++++-
 tests/handlers/test_users.py | 6 ++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/redash/handlers/users.py b/redash/handlers/users.py
index 518684a7..2d2feab9 100644
--- a/redash/handlers/users.py
+++ b/redash/handlers/users.py
@@ -13,7 +13,7 @@ from redash.permissions import require_permission, require_admin_or_owner, is_ad
     require_permission_or_owner, require_admin
 from redash.handlers.base import BaseResource, require_fields, get_object_or_404, paginate, order_results as _order_results
 
-from redash.authentication.account import invite_link_for_user, send_invite_email, send_password_reset_email
+from redash.authentication.account import invite_link_for_user, send_invite_email, send_password_reset_email, send_verify_email
 from redash.settings import parse_boolean
 
 
@@ -225,10 +225,17 @@ class UserResource(BaseResource):
             if domain.lower() in blacklist or domain.lower() == 'qq.com':
                 abort(400, message='Bad email address.')
 
+        email_changed = 'email' in params and params['email'] != user.email
+        if email_changed:
+            user.is_email_verified = False
+
         try:
             self.update_model(user, params)
             models.db.session.commit()
 
+            if email_changed:
+                send_verify_email(user, self.current_org)
+
             # The user has updated their email or password. This should invalidate all _other_ sessions,
             # forcing them to log in again. Since we don't want to force _this_ session to have to go
             # through login again, we call `login_user` in order to update the session with the new identity details.
diff --git a/tests/handlers/test_users.py b/tests/handlers/test_users.py
index 240a6ce4..e00bc55e 100644
--- a/tests/handlers/test_users.py
+++ b/tests/handlers/test_users.py
@@ -202,6 +202,12 @@ class TestUserResourcePost(BaseTestCase):
         rv = self.make_request('post', "/api/users/{}".format(self.factory.user.id), data={"name": "New Name"})
         self.assertEqual(rv.status_code, 200)
 
+    def test_marks_email_as_not_verified_when_changed(self):
+        user = self.factory.user
+        user.is_email_verified = True
+        rv = self.make_request('post', "/api/users/{}".format(user.id), data={"email": "donald@trump.biz"})
+        self.assertFalse(user.is_email_verified)
+
     def test_returns_200_for_admin_changing_other_user(self):
         admin = self.factory.create_admin()