584845 - /z/ Email change tokens are not invalidated for deleted/anonymized users

Status: RESOLVED DUPLICATE of bug 558511

(addons.mozilla.org Graveyard :: Public Pages, defect)

Description

[David Chan [:dchan]]

This bug is for the code at
https://preview.addons.mozilla.org/z/en-US/firefox/

The email change code generates a base64 encoded token with userid, email, and timestamp and a hash of the token. The token/hash pair are valid after a user deletes their account. This allows a user put their account in an inconsistent state; valid e-mail, no other identifying information and "deleted" set to true.


A potential fix is to make emailchange check for <UserProfile>.deleted
http://github.com/jbalogh/zamboni/blob/master/apps/users/views.py#L138

STR
1. Edit profile and change your e-mail
2. Delete your account
3. Click on the email address change e-mail

There may be a delay while waiting for the delete to propagate. When done successfully, your user profile will have no first/last/nickname and have the updated e-mail. 

Not really much a user can do with this since the /z/ login page checks for the deleted status and prevents login. However you can reset your password and login through the non /z/ pages.