From a45882dca0467e8362add876c8b6f5fb17fd91c2 Mon Sep 17 00:00:00 2001
From: Neraste <neraste.herr10@gmail.com>
Date: Thu, 27 May 2021 01:08:50 +0900
Subject: [PATCH 1/2] Add test for custom flag field

---
 .../views/register_email/test_verify_email.py | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tests/api/views/register_email/test_verify_email.py b/tests/api/views/register_email/test_verify_email.py
index 9f695e0..1c36147 100644
--- a/tests/api/views/register_email/test_verify_email.py
+++ b/tests/api/views/register_email/test_verify_email.py
@@ -103,6 +103,30 @@ def test_with_username_as_verification_id_ok(self):
         self.user.refresh_from_db()
         self.assertEqual(self.user.email, self.new_email)
 
+    @override_rest_registration_settings({
+        "REGISTER_VERIFICATION_ENABLED": True,
+        "REGISTER_EMAIL_VERIFICATION_ENABLED": True,
+        'USER_VERIFICATION_FLAG_FIELD': 'is_staff',
+    })
+    def test_with_custom_flag_field_ok(self):
+        # a superuser is created with command createsuperuser
+        # the flag field (here is_staff) is not set
+        self.setup_user()
+        self.user.is_superuser = True
+        self.user.is_staff = False
+        self.user.save()
+
+        signer = RegisterEmailSigner({
+            'user_id': self.user.id,
+            'email': self.new_email,
+        })
+        data = signer.get_signed_data()
+        request = self.create_post_request(data)
+        response = self.view_func(request)
+        self.assert_valid_response(response, status.HTTP_200_OK)
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.email, self.new_email)
+
     @override_settings(
         REST_REGISTRATION={
             'REGISTER_EMAIL_VERIFICATION_URL': REGISTER_EMAIL_VERIFICATION_URL,

From a60026e653c7b2c63b9f487031b9cb187453a92f Mon Sep 17 00:00:00 2001
From: Neraste <neraste.herr10@gmail.com>
Date: Fri, 28 May 2021 01:52:58 +0900
Subject: [PATCH 2/2] Allow superuser to not be verified

---
 rest_registration/utils/users.py              | 12 +++++++--
 .../views/register_email/test_verify_email.py | 26 ++++++++++++++++++-
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/rest_registration/utils/users.py b/rest_registration/utils/users.py
index 77063cb..3145acb 100644
--- a/rest_registration/utils/users.py
+++ b/rest_registration/utils/users.py
@@ -167,8 +167,6 @@ def get_user_by_lookup_dict(
     user_class = get_user_model()
     kwargs = {}
     kwargs.update(lookup_dict)
-    if require_verified and verification_enabled and verification_flag_field:
-        kwargs[verification_flag_field] = True
     try:
         queryset = user_class.objects.all()  # type: QuerySet[AbstractBaseUser]
         user = get_object_or_404(queryset, **kwargs)
@@ -177,6 +175,16 @@ def get_user_by_lookup_dict(
             raise UserNotFound() from None
         return default
     else:
+        # the user must be verified if requested and if not superuser
+        if (
+            require_verified
+            and verification_enabled
+            and verification_flag_field
+            and not getattr(user, verification_flag_field)
+            and not user.is_superuser
+        ):
+            raise UserNotFound()
+
         return user
 
 
diff --git a/tests/api/views/register_email/test_verify_email.py b/tests/api/views/register_email/test_verify_email.py
index 1c36147..d1c3658 100644
--- a/tests/api/views/register_email/test_verify_email.py
+++ b/tests/api/views/register_email/test_verify_email.py
@@ -108,7 +108,7 @@ def test_with_username_as_verification_id_ok(self):
         "REGISTER_EMAIL_VERIFICATION_ENABLED": True,
         'USER_VERIFICATION_FLAG_FIELD': 'is_staff',
     })
-    def test_with_custom_flag_field_ok(self):
+    def test_with_custom_flag_field_not_verified_superuser_ok(self):
         # a superuser is created with command createsuperuser
         # the flag field (here is_staff) is not set
         self.setup_user()
@@ -127,6 +127,30 @@ def test_with_custom_flag_field_ok(self):
         self.user.refresh_from_db()
         self.assertEqual(self.user.email, self.new_email)
 
+    @override_rest_registration_settings({
+        "REGISTER_VERIFICATION_ENABLED": True,
+        "REGISTER_EMAIL_VERIFICATION_ENABLED": True,
+        'USER_VERIFICATION_FLAG_FIELD': 'is_staff',
+    })
+    def test_with_custom_flag_field_not_verified(self):
+        # a normal user is created
+        # the flag field (here is_staff) is not set
+        self.setup_user()
+        self.user.is_staff = False
+        self.user.save()
+        old_email = self.user.email
+
+        signer = RegisterEmailSigner({
+            'user_id': self.user.id,
+            'email': self.new_email,
+        })
+        data = signer.get_signed_data()
+        request = self.create_post_request(data)
+        response = self.view_func(request)
+        self.assert_response_is_bad_request(response)
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.email, old_email)
+
     @override_settings(
         REST_REGISTRATION={
             'REGISTER_EMAIL_VERIFICATION_URL': REGISTER_EMAIL_VERIFICATION_URL,