1 files changed, 94 insertions, 22 deletions

diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index 161285a2..429eb584 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -16,6 +16,7 @@
 
 from datetime import datetime
 
+from itsdangerous import BadSignature
 from werkzeug.exceptions import Forbidden
 from werkzeug.utils import secure_filename
 
@@ -26,15 +27,19 @@ from mediagoblin import auth
 from mediagoblin.edit import forms
 from mediagoblin.edit.lib import may_edit_media
 from mediagoblin.decorators import (require_active_login, active_user_from_url,
-     get_media_entry_by_id,
-     user_may_alter_collection, get_user_collection)
-from mediagoblin.tools.response import render_to_response, \
-    redirect, redirect_obj
+                            get_media_entry_by_id, user_may_alter_collection,
+                            get_user_collection)
+from mediagoblin.tools.crypto import get_timed_signer_url
+from mediagoblin.tools.mail import email_debug_message
+from mediagoblin.tools.response import (render_to_response,
+                                        redirect, redirect_obj, render_404)
 from mediagoblin.tools.translate import pass_to_ugettext as _
+from mediagoblin.tools.template import render_template
 from mediagoblin.tools.text import (
     convert_to_tag_list_of_dicts, media_tags_as_string)
 from mediagoblin.tools.url import slugify
 from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used
+from mediagoblin.db.models import User
 
 import mimetypes
 
@@ -212,6 +217,10 @@ def edit_profile(request, url_user=None):
         {'user': user,
          'form': form})
 
+EMAIL_VERIFICATION_TEMPLATE = (
+    u'{uri}?'
+    u'token={verification_key}')
+
 
 @require_active_login
 def edit_account(request):
@@ -220,27 +229,45 @@ def edit_account(request):
         wants_comment_notification=user.wants_comment_notification,
         license_preference=user.license_preference)
 
-    if request.method == 'POST':
-        form_validated = form.validate()
-
-        if form_validated and \
-                form.wants_comment_notification.validate(form):
-            user.wants_comment_notification = \
-                form.wants_comment_notification.data
-
-        if form_validated and \
-                form.license_preference.validate(form):
-            user.license_preference = \
-                form.license_preference.data
-
-        if form_validated and not form.errors:
+    if request.method == 'POST' and form.validate():
+        user.wants_comment_notification = form.wants_comment_notification.data
+
+        user.license_preference = form.license_preference.data
+
+        if form.new_email.data:
+            new_email = form.new_email.data
+            users_with_email = User.query.filter_by(
+                email=new_email).count()
+            if users_with_email:
+                form.new_email.errors.append(
+                    _('Sorry, a user with that email address'
+                      ' already exists.'))
+            else:
+                verification_key = get_timed_signer_url(
+                    'mail_verification_token').dumps({
+                        'user': user.id,
+                        'email': new_email})
+
+                rendered_email = render_template(
+                    request, 'mediagoblin/edit/verification.txt',
+                    {'username': user.username,
+                     'verification_url': EMAIL_VERIFICATION_TEMPLATE.format(
+                        uri=request.urlgen('mediagoblin.edit.verify_email',
+                                           qualified=True),
+                        verification_key=verification_key)})
+
+                email_debug_message(request)
+                auth_tools.send_verification_email(user, request, new_email,
+                                                 rendered_email)
+
+        if not form.errors:
             user.save()
             messages.add_message(request,
-                messages.SUCCESS,
-                _("Account settings saved"))
+                                 messages.SUCCESS,
+                                 _("Account settings saved"))
             return redirect(request,
-                'mediagoblin.user_pages.user_home',
-                user=user.username)
+                            'mediagoblin.user_pages.user_home',
+                            user=user.username)
 
     return render_to_response(
         request,
@@ -369,3 +396,48 @@ def change_pass(request):
         'mediagoblin/edit/change_pass.html',
         {'form': form,
          'user': user})
+
+
+def verify_email(request):
+    """
+    Email verification view for changing email address
+    """
+    # If no token, we can't do anything
+    if not 'token' in request.GET:
+        return render_404(request)
+
+    # Catch error if token is faked or expired
+    token = None
+    try:
+        token = get_timed_signer_url("mail_verification_token") \
+                .loads(request.GET['token'], max_age=10*24*3600)
+    except BadSignature:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _('The verification key or user id is incorrect.'))
+
+        return redirect(
+            request,
+            'index')
+
+    user = User.query.filter_by(id=int(token['user'])).first()
+
+    if user:
+        user.email = token['email']
+        user.save()
+
+        messages.add_message(
+            request,
+            messages.SUCCESS,
+            _('Your email address has been verified.'))
+
+    else:
+            messages.add_message(
+                request,
+                messages.ERROR,
+                _('The verification key or user id is incorrect.'))
+
+    return redirect(
+        request, 'mediagoblin.user_pages.user_home',
+        user=user.username)