From c91f618c443aaefced7ef39d7dbe905dbfdaae4e Mon Sep 17 00:00:00 2001
From: brandonkelly <brandon@pixelandtonic.com>
Date: Wed, 1 Mar 2017 05:12:39 -0800
Subject: [PATCH] Resolved #1421

---
 CHANGELOG-v3.md                     |  1 +
 src/controllers/UsersController.php | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG-v3.md b/CHANGELOG-v3.md
index 3448e8a4ab4..9b015ded243 100644
--- a/CHANGELOG-v3.md
+++ b/CHANGELOG-v3.md
@@ -25,6 +25,7 @@ Craft CMS 3.0 Working Changelog
 - Asset focal point coordinates are now stored as decimal fractions instead of absolute coordinates.
 - #1420: Craft now does fuzzy searching on the right side of a keyword by default.
 - It’s now possible to add columns to an element query’s `select` clause without completely replacing all of the default columns, by calling its `addSelect()` method.
+- #1421: Users are no longer logged out when verifying a new email address on their own account.
 - `craft\base\Volume::filesystem()` now accepts a config parameter.
 - `craft\base\Volume::getFileList()` now returns the file list array indexed by the file URIs.
 - `craft\base\Volume::getMissingFiles()` no longer accepts a list of volume IDs and returns all missing files for that session,
diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php
index 01960618993..769615dc499 100644
--- a/src/controllers/UsersController.php
+++ b/src/controllers/UsersController.php
@@ -418,6 +418,11 @@ public function actionVerifyEmail()
 
         Craft::$app->getUsers()->verifyEmailForUser($userToProcess);
 
+        // If they're logged in, give them a success notice
+        if (!Craft::$app->getUser()->getIsGuest()) {
+            Craft::$app->getSession()->setNotice(Craft::t('app', 'Email verified'));
+        }
+
         if ($userIsPending) {
             // They were just activated, so treat this as an activation request
             if (($response = $this->_onAfterActivateUser($userToProcess)) !== null) {
@@ -1715,10 +1720,6 @@ private function _processUserGroupsPermissions(User $user)
      */
     private function _processTokenRequest(): array
     {
-        if (!Craft::$app->getUser()->getIsGuest()) {
-            Craft::$app->getUser()->logout();
-        }
-
         $id = Craft::$app->getRequest()->getRequiredParam('id');
         $code = Craft::$app->getRequest()->getRequiredParam('code');
         $isCodeValid = false;
@@ -1729,6 +1730,12 @@ private function _processTokenRequest(): array
             ->addSelect(['users.password', 'users.unverifiedEmail'])
             ->one();
 
+        // If someone is logged in and it's not this person, log them out
+        $userService = Craft::$app->getUser();
+        if (($identity = $userService->getIdentity()) !== null && $identity->id != $userToProcess->id) {
+            $userService->logout();
+        }
+
         if ($userToProcess) {
             // Fire a 'beforeVerifyUser' event
             Craft::$app->getUsers()->trigger(Users::EVENT_BEFORE_VERIFY_EMAIL,
@@ -1736,8 +1743,7 @@ private function _processTokenRequest(): array
                     'user' => $userToProcess
                 ]));
 
-            $isCodeValid = Craft::$app->getUsers()->isVerificationCodeValidForUser($userToProcess,
-                $code);
+            $isCodeValid = Craft::$app->getUsers()->isVerificationCodeValidForUser($userToProcess, $code);
         }
 
         if (!$userToProcess || !$isCodeValid) {