fix(relocation): Ensure the correct email gets verified (#68721)

azaslavsky · c298lee · commit ac055f5b5a30 · 2024-04-12T12:43:55.000-04:00
In github.com//pull/68586, we verified AN email that matches the user's. Now, we filter on user_id, to ensure that we verify that specific user's email.
diff --git a/src/sentry/services/hybrid_cloud/user/impl.py b/src/sentry/services/hybrid_cloud/user/impl.py
@@ -237,6 +237,15 @@ def get_user_by_email(
             return serialize_rpc_user(user)
         return None
 
+    def verify_user_email(self, *, email: str, user_id: int) -> bool:
+        user_email = UserEmail.objects.filter(email__iexact=email, user_id=user_id).first()
+        if user_email is None:
+            return False
+        if not user_email.is_verified:
+            user_email.update(is_verified=True)
+            return True
+        return False
+
     def verify_any_email(self, *, email: str) -> bool:
         user_email = UserEmail.objects.filter(email__iexact=email).first()
         if user_email is None:
diff --git a/src/sentry/services/hybrid_cloud/user/service.py b/src/sentry/services/hybrid_cloud/user/service.py
@@ -156,6 +156,11 @@ def get_user_by_email(
     ) -> RpcUser | None:
         pass
 
+    @rpc_method
+    @abstractmethod
+    def verify_user_email(self, *, email: str, user_id: int) -> bool:
+        pass
+
     @rpc_method
     @abstractmethod
     def verify_any_email(self, *, email: str) -> bool:
diff --git a/src/sentry/web/frontend/accounts.py b/src/sentry/web/frontend/accounts.py
@@ -205,7 +205,7 @@ def recover_confirm(request, user_id, hash, mode="recover"):
                 # associated with this account in particular, since that is the only one the user
                 # claiming email could have been sent to.
                 rpc_user = user_service.get_user(user_id=user.id)
-                user_service.verify_any_email(email=user.email)
+                user_service.verify_user_email(email=user.email, user_id=user.id)
                 orgs = organization_service.get_organizations_by_user_and_scope(
                     region_name=mapping.region_name, user=rpc_user
                 )
diff --git a/tests/sentry/web/frontend/test_accounts.py b/tests/sentry/web/frontend/test_accounts.py
@@ -170,10 +170,7 @@ def test_relocate_recovery_post_multiple_orgs(self, terms_accepted_signal_mock):
         self.create_member(user=user, organization=org1)
         self.create_member(user=user, organization=org2)
 
-        resp = self.client.post(self.path, {"user": user.email})
-        assert resp.status_code == 200
-
-        lost_password = LostPasswordHash.objects.get(user=user)
+        lost_password = LostPasswordHash.objects.create(user=user)
         user.is_unclaimed = True
         user.save()
         old_password = user.password
@@ -219,19 +216,23 @@ def test_relocate_recovery_post_multiple_orgs(self, terms_accepted_signal_mock):
         assert UserEmail.objects.get(email=user.email).is_verified
 
     @patch("sentry.signals.terms_accepted.send_robust")
-    def test_relocate_recovery_post(self, terms_accepted_signal_mock):
-        user = self.create_user(email="test@example.com")
-        user_email = UserEmail.objects.get(email=user.email)
+    def test_relocate_recovery_post_another_user_with_same_email(self, terms_accepted_signal_mock):
+        same_email_user = self.create_user(username="same_email_as_first", email="test@example.com")
+        same_email_user_email = UserEmail.objects.get(
+            email=same_email_user.email, user_id=same_email_user.id
+        )
+        same_email_user_email.is_verified = False
+        same_email_user_email.save()
+
+        user = self.create_user(username="first", email="test@example.com")
+        user_email = UserEmail.objects.get(email=user.email, user_id=user.id)
         user_email.is_verified = False
         user_email.save()
 
         org = self.create_organization()
         self.create_member(user=user, organization=org)
 
-        resp = self.client.post(self.path, {"user": user.email})
-        assert resp.status_code == 200
-
-        lost_password = LostPasswordHash.objects.get(user=user)
+        lost_password = LostPasswordHash.objects.create(user=user)
         user.is_unclaimed = True
         user.save()
         old_password = user.password
@@ -262,7 +263,10 @@ def test_relocate_recovery_post(self, terms_accepted_signal_mock):
             sender=recover_confirm,
         )
 
-        assert UserEmail.objects.get(email=user.email).is_verified
+        assert UserEmail.objects.get(email=user.email, user_id=user.id).is_verified
+        assert not UserEmail.objects.get(
+            email=same_email_user_email.email, user_id=same_email_user.id
+        ).is_verified
 
     def test_relocate_recovery_unchecked_tos(self):
         user = self.create_user()

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ def recover_confirm(request, user_id, hash, mode="recover"):`
`205`	`205`	`# associated with this account in particular, since that is the only one the user`
`206`	`206`	`# claiming email could have been sent to.`
`207`	`207`	`rpc_user = user_service.get_user(user_id=user.id)`
`208`		`- user_service.verify_any_email(email=user.email)`
	`208`	`+ user_service.verify_user_email(email=user.email, user_id=user.id)`
`209`	`209`	`orgs = organization_service.get_organizations_by_user_and_scope(`
`210`	`210`	`region_name=mapping.region_name, user=rpc_user`
`211`	`211`	`)`