diff --git a/users/templates/users/confirm_email.html b/users/templates/users/confirm_email.html new file mode 100644 index 0000000..c0f69ca --- /dev/null +++ b/users/templates/users/confirm_email.html @@ -0,0 +1,29 @@ +{% extends "barest_base.html" %} +{% load static %} + +{% block title %}Confirm email ยท {{ site_title }}{% endblock %} + +{% block content %} + +
{# the cyan background #} +
{# the centered box #} +
{# the logo #} + Bugsink +
+ +
+ +
+ Confirm your email address by clicking the button below. +
+ +
+ {% csrf_token %} + +
+
+ +
+
+ +{% endblock %} diff --git a/users/views.py b/users/views.py index bc34665..c080797 100644 --- a/users/views.py +++ b/users/views.py @@ -54,15 +54,22 @@ def confirm_email(request, token=None): # good enough (though a special page might be prettier) raise Http404("Invalid or expired token") - verification.user.is_active = True - verification.user.save() - verification.delete() + if request.method == 'POST': + # We insist on POST requests to do the actual confirmation (at the cost of an extra click). See: + # https://softwareengineering.stackexchange.com/a/422579/168778 + # there's no form, the'res just a button to generate the post request - # this mirrors the approach of what we do in password-resetting; and rightfully so because the in both cases access - # to email is assumed to be sufficient proof of identity. - login(request, verification.user) + verification.user.is_active = True + verification.user.save() + verification.delete() - return redirect('home') + # this mirrors the approach of what we do in password-resetting; and rightfully so because the in both cases + # access to email is assumed to be sufficient proof of identity. + login(request, verification.user) + + return redirect('home') + + return render(request, "users/confirm_email.html") def resend_confirmation(request):