Cleanup + fix support for invalidUserTokenPath

#1998 (comment)

CHANGELOG-v3.md

@@ -5,6 +5,10 @@
 ### Changed
 - Craft no longer uses the `devMode` setting to decide if GraphQL schema should be pre-built, but pre-builds it when responding to introspection queries, instead.
 
+### Fixed
+- Fixed a bug where Craft was ignoring the `invalidUserTokenPath` request when it was set to an empty string. ([#1998](https://github.com/craftcms/cms/issues/1998))
+- Fixed a bug where the `invalidUserTokenPath` was affecting Control Panel requests.
+
 ## 3.3.2 - 2019-09-11
 
 ### Added

src/controllers/UsersController.php

@@ -1887,7 +1887,6 @@ private function _processTokenRequest()
     {
         $uid = Craft::$app->getRequest()->getRequiredParam('id');
         $code = Craft::$app->getRequest()->getRequiredParam('code');
-        $isCodeValid = false;
 
         /** @var User|null $user */
         $user = User::find()
@@ -1896,31 +1895,34 @@ private function _processTokenRequest()
             ->addSelect(['users.password', 'users.unverifiedEmail'])
             ->one();
 
+        if (!$user) {
+            return $this->_processInvalidToken();
+        }
+
         // If someone is logged in and it's not this person, log them out
         $userSession = Craft::$app->getUser();
-        if (($identity = $userSession->getIdentity()) !== null && $user && $identity->id != $user->id) {
+        if (!$userSession->getIsGuest() && $userSession->getId() != $user->id) {
             $userSession->logout();
         }
 
-        if ($user) {
-            // Fire a 'beforeVerifyUser' event
-            Craft::$app->getUsers()->trigger(Users::EVENT_BEFORE_VERIFY_EMAIL,
-                new UserEvent([
-                    'user' => $user
-                ]));
-
-            $isCodeValid = Craft::$app->getUsers()->isVerificationCodeValidForUser($user, $code);
+        // Fire a 'beforeVerifyUser' event
+        $usersService = Craft::$app->getUsers();
+        if ($usersService->hasEventHandlers(Users::EVENT_BEFORE_VERIFY_EMAIL)) {
+            $usersService->trigger(Users::EVENT_BEFORE_VERIFY_EMAIL, new UserEvent([
+                'user' => $user
+            ]));
         }
 
-        if (!$user || !$isCodeValid) {
+        if (!Craft::$app->getUsers()->isVerificationCodeValidForUser($user, $code)) {
             return $this->_processInvalidToken();
         }
 
         // Fire an 'afterVerifyUser' event
-        Craft::$app->getUsers()->trigger(Users::EVENT_AFTER_VERIFY_EMAIL,
-            new UserEvent([
+        if ($usersService->hasEventHandlers(Users::EVENT_AFTER_VERIFY_EMAIL)) {
+            $usersService->trigger(Users::EVENT_AFTER_VERIFY_EMAIL, new UserEvent([
                 'user' => $user
             ]));
+        }
 
         return [$user, $uid, $code];
     }
@@ -1936,12 +1938,12 @@ private function _processInvalidToken(): Response
         if (!$userSession->getIsGuest()) {
             $returnUrl = $userSession->getReturnUrl();
             $userSession->removeReturnUrl();
-
             return $this->redirect($returnUrl);
         }
 
         // If the invalidUserTokenPath config setting is set, send them there
-        if ($url = Craft::$app->getConfig()->getGeneral()->getInvalidUserTokenPath()) {
+        if (Craft::$app->getRequest()->getIsSiteRequest()) {
+            $url = Craft::$app->getConfig()->getGeneral()->getInvalidUserTokenPath();
             return $this->redirect(UrlHelper::siteUrl($url));
         }
 

src/services/Users.php

@@ -619,13 +619,12 @@ public function verifyEmailForUser(User $user): bool
 
         $userRecord = $this->_getUserRecordById($user->id);
         $userRecord->email = $user->unverifiedEmail;
+        $userRecord->unverifiedEmail = null;
 
         if (Craft::$app->getConfig()->getGeneral()->useEmailAsUsername) {
             $userRecord->username = $user->unverifiedEmail;
         }
 
-        $userRecord->unverifiedEmail = null;
-
         if (!$userRecord->save()) {
             $user->addErrors($userRecord->getErrors());
             return false;