Ensure confirmation email tokens are deleted if no longer valid

users/migrations/0087_request_email.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.28 on 2020-04-17 20:10
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0086_user_email_change_date'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='request',
+            name='email',
+            field=models.EmailField(blank=True, max_length=254, null=True),
+        ),
+    ]

users/models.py

@@ -831,10 +831,15 @@ class User(
     def confirm_email_address_mail(self, request):
         """Prend en argument un request, envoie un mail pour
         confirmer l'adresse"""
+        # Delete all older requests for this user, that aren't for this email
+        filter = Q(user=self) & Q(type=Request.EMAIL) & ~Q(email=self.email)
+        Request.objects.filter(filter).delete()
+
         # Create the request and send the email
         req = Request()
         req.type = Request.EMAIL
         req.user = self
+        req.email = self.email
         req.save()
 
         template = loader.get_template("users/email_confirmation_request")
@@ -1873,6 +1878,7 @@ class Request(models.Model):
     type = models.CharField(max_length=2, choices=TYPE_CHOICES)
     token = models.CharField(max_length=32)
     user = models.ForeignKey("User", on_delete=models.CASCADE)
+    email = models.EmailField(blank=True, null=True)
     created_at = models.DateTimeField(auto_now_add=True, editable=False)
     expires_at = models.DateTimeField()