From aebe84b694b69de4958965c84d5e1d04edbfa1f3 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Tue, 9 Sep 2014 00:55:13 +0530
Subject: [PATCH 001/107] Add hash and ctime fields to
 email_address_with_confirmation

---
 branch.sql                     | 5 +++++
 gratipay/models/participant.py | 5 +++--
 tests/py/test_close.py         | 3 ++-
 3 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 branch.sql

diff --git a/branch.sql b/branch.sql
new file mode 100644
index 0000000000..5b8eb84056
--- /dev/null
+++ b/branch.sql
@@ -0,0 +1,5 @@
+BEGIN;
+	ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE hash text;
+	ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE ctime timestamp with time zone;
+END;
+
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 6cd4aba32e..dcede6eadf 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -547,10 +547,11 @@ def update_avatar(self):
         self.set_attributes(avatar_url=avatar_url)
 
     def update_email(self, email, confirmed=False):
+        hash_string = str(uuid.uuid4())        
         with self.db.get_cursor() as c:
             add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
-            r = c.one("UPDATE participants SET email = ROW(%s, %s) WHERE username=%s RETURNING email"
-                     , (email, confirmed, self.username)
+            r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
+                     , (email, confirmed, hash_string, utcnow(),self.username)
                       )
             self.set_attributes(email=r)
 
diff --git a/tests/py/test_close.py b/tests/py/test_close.py
index c49fd7d77f..5f0ec321eb 100644
--- a/tests/py/test_close.py
+++ b/tests/py/test_close.py
@@ -10,6 +10,7 @@
 from gratipay.models.community import Community
 from gratipay.models.participant import Participant
 from gratipay.testing import Harness
+from aspen.utils import utcnow
 
 
 class TestClosing(Harness):
@@ -282,7 +283,7 @@ def test_cpi_clears_personal_information(self):
                                      , anonymous_receiving=True
                                      , number='plural'
                                      , avatar_url='img-url'
-                                     , email=('alice@example.com', True)
+                                     , email=('alice@example.com', True, 'samplehash', utcnow())
                                      , claimed_time='now'
                                      , session_token='deadbeef'
                                      , session_expires='2000-01-01'

From 3c589fa7656831f1ffbd4a1e63789b6d9c43a1b0 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Tue, 9 Sep 2014 12:25:19 +0530
Subject: [PATCH 002/107] Update hash and ctime when email is changed

---
 gratipay/models/participant.py | 11 +++++++++--
 tests/py/test_participant.py   |  8 +++++++-
 www/%username/email.json.spt   |  2 +-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index dcede6eadf..6f1373b525 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -547,11 +547,18 @@ def update_avatar(self):
         self.set_attributes(avatar_url=avatar_url)
 
     def update_email(self, email, confirmed=False):
-        hash_string = str(uuid.uuid4())        
+        hash_string = self.email.hash if hasattr(self.email,'hash') else ''
+        current_email = self.email.address if hasattr(self.email,'address') else ''
+        ctime = self.email.ctime if hasattr(self.email,'ctime') else utcnow()
+        if email != current_email:
+            confirmed = False
+            hash_string = str(uuid.uuid4())        
+            ctime = utcnow()
+            # Send the user an email here
         with self.db.get_cursor() as c:
             add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
             r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
-                     , (email, confirmed, hash_string, utcnow(),self.username)
+                     , (email, confirmed, hash_string, ctime,self.username)
                       )
             self.set_attributes(email=r)
 
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index ee5c1cc449..e1ee54651c 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -227,7 +227,13 @@ def test_can_change_email(self):
         actual = self.alice.email.address
         assert actual == expected
 
-    def test_can_confirm_email(self):
+    def test_cannot_confirm_email_in_one_step(self):
+        self.alice.update_email('alice@gratipay.com', True)
+        actual = self.alice.email.confirmed
+        assert actual == False
+
+    def test_can_confirm_email_in_second_step(self):
+        self.alice.update_email('alice@gratipay.com')
         self.alice.update_email('alice@gratipay.com', True)
         actual = self.alice.email.confirmed
         assert actual == True
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 612427069e..65b6c98774 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -24,4 +24,4 @@ else:
     user.participant.update_email(address)
 
 [---] application/json via json_dump
-{'email': address}
+{'email': address, 'confirmed': user.participant.email.confirmed }

From c12554c9fbfb124fdff7248f5980c6c2e6dbe726 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Tue, 9 Sep 2014 15:10:40 +0530
Subject: [PATCH 003/107] Verification page

---
 gratipay/models/participant.py      |  6 ++-
 tests/py/test_email_json.py         |  2 +-
 tests/py/test_verify_email_html.py  | 79 +++++++++++++++++++++++++++++
 www/%username/verify-email.html.spt | 53 +++++++++++++++++++
 4 files changed, 137 insertions(+), 3 deletions(-)
 create mode 100644 tests/py/test_verify_email_html.py
 create mode 100644 www/%username/verify-email.html.spt

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 6f1373b525..f0cc7e441a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -550,9 +550,10 @@ def update_email(self, email, confirmed=False):
         hash_string = self.email.hash if hasattr(self.email,'hash') else ''
         current_email = self.email.address if hasattr(self.email,'address') else ''
         ctime = self.email.ctime if hasattr(self.email,'ctime') else utcnow()
-        if email != current_email:
+        was_confirmed = self.email.confirmed if hasattr(self.email,'confirmed') else ''
+        if (email != current_email) or (email == current_email and confirmed == was_confirmed == False):
             confirmed = False
-            hash_string = str(uuid.uuid4())        
+            hash_string = str(uuid.uuid4())
             ctime = utcnow()
             # Send the user an email here
         with self.db.get_cursor() as c:
@@ -561,6 +562,7 @@ def update_email(self, email, confirmed=False):
                      , (email, confirmed, hash_string, ctime,self.username)
                       )
             self.set_attributes(email=r)
+        return r
 
     def update_goal(self, goal):
         typecheck(goal, (Decimal, None))
diff --git a/tests/py/test_email_json.py b/tests/py/test_email_json.py
index 7a3fd9c315..3f63566c78 100644
--- a/tests/py/test_email_json.py
+++ b/tests/py/test_email_json.py
@@ -4,7 +4,7 @@
 
 from gratipay.testing import Harness
 
-class TestMembernameJson(Harness):
+class TestEmailJson(Harness):
 
     def change_email_address(self, address, user='alice', should_fail=True):
         self.make_participant("alice")
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
new file mode 100644
index 0000000000..77199b5749
--- /dev/null
+++ b/tests/py/test_verify_email_html.py
@@ -0,0 +1,79 @@
+from gratipay.models.participant import Participant
+from gratipay.testing import Harness
+
+
+class TestForVerifyEmail(Harness):
+
+    def change_email_address(self, address, username, should_fail=False):
+        url = "/%s/email.json" % username
+        if should_fail:
+            response = self.client.PxST(url
+                , {'email': address,}
+                , auth_as=username
+            )
+        else:
+            response = self.client.POST(url
+                , {'email': address,}
+                , auth_as=username
+            )
+        return response
+
+    def verify_email(self, username, hash_string, should_fail=False):
+        url = '/%s/verify-email.html?hash=%s' % (username , hash_string)
+        if should_fail:
+            response = self.client.GxT(url)
+        else:
+            response = self.client.GET(url)
+        return response
+
+    def test_verify_email_without_adding_email(self):
+        participant = self.make_participant('alice')
+        response = self.verify_email(participant.username,'sample-hash', should_fail=True)
+        assert response.code == 404
+
+    def test_verify_email_wrong_hash(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        self.verify_email(participant.username,'sample-hash')
+        expected = False
+        actual = Participant.from_username(participant.username).email.confirmed
+        assert expected == actual
+
+    def test_verify_email(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        hash_string = Participant.from_username(participant.username).email.hash
+        self.verify_email(participant.username,hash_string)
+        expected = True
+        actual = Participant.from_username(participant.username).email.confirmed
+        assert expected == actual
+
+    def test_email_is_not_confirmed_after_update(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        hash_string = Participant.from_username(participant.username).email.hash
+        self.verify_email(participant.username,hash_string)
+        self.change_email_address('alice@yahoo.com', participant.username)
+        expected = False
+        actual = Participant.from_username(participant.username).email.confirmed
+        assert expected == actual
+
+    def test_verify_email_after_update(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        hash_string = Participant.from_username(participant.username).email.hash
+        self.verify_email(participant.username,hash_string)
+        self.change_email_address('alice@yahoo.com', participant.username)
+        hash_string = Participant.from_username(participant.username).email.hash
+        self.verify_email(participant.username,hash_string)
+        expected = True
+        actual = Participant.from_username(participant.username).email.confirmed
+        assert expected == actual
+
+    def test_hash_is_regenerated_on_update(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        hash_string_1 = Participant.from_username(participant.username).email.hash
+        self.change_email_address('alice@gmail.com', participant.username)
+        hash_string_2 = Participant.from_username(participant.username).email.hash
+        assert hash_string_1 != hash_string_2
\ No newline at end of file
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
new file mode 100644
index 0000000000..026fbfcadf
--- /dev/null
+++ b/www/%username/verify-email.html.spt
@@ -0,0 +1,53 @@
+"""Verify a participant's email
+"""
+from gratipay.utils import get_participant
+from aspen import Response
+from aspen.utils import utcnow
+from datetime import timedelta
+
+[-----------------------------------------------------------------------------]
+
+participant = get_participant(request, restrict=False)
+qs = request.line.uri.querystring
+hash_string = qs['hash'] if 'hash' in qs else ''
+
+if not participant.email:
+    raise Response(404)
+
+CONFIRMED = participant.email.confirmed
+original_hash = participant.email.hash if hasattr(participant.email, 'hash') else ''
+email_ctime = participant.email.ctime if hasattr(participant.email, 'ctime') else ''
+
+EXPIRED = False
+
+if not CONFIRMED and hash_string == original_hash:
+    if utcnow() - email_ctime < timedelta(hours=24):
+        result = participant.update_email(participant.email.address, True)
+        CONFIRMED = result.confirmed
+    else:
+        EXPIRED = True
+
+[-----------------------------------------------------------------------------]
+{% extends "templates/base.html" %}
+
+{% block scripts %}
+
+{% endblock %}
+
+{% block heading %}
+    <h1>Verify Email</h1>
+{% endblock %}
+
+{% block box %}
+    <div class="as-content">
+    {% if ALREADY_CONFIRMED or CONFIRMED %}
+        <h1>{{ _("Your email address has been verified.") }}</h1>
+    {% elif EXPIRED  %}
+        <h1>{{ _("Your verification email has expired.") }}</h1>
+    {% else %}
+    	<h1>{{ _("Failed to verify your email address") }}</h1>
+    {% endif %}
+    <a href="http://gratipay.com/">{{ _("Go to homepage") }}</a>
+    </div>
+{% endblock %}
+

From 301e94f302dcd0901bda3184669ddcd5dc25afb9 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 10 Sep 2014 01:31:17 +0530
Subject: [PATCH 004/107] Sending emails

---
 defaults.env                   |  2 +-
 gratipay/models/participant.py | 14 ++++++++--
 gratipay/utils/emails.py       | 50 ++++++++++++++++++++++++++++++++++
 gratipay/wireup.py             |  2 --
 js/gratipay/account.js         |  1 +
 5 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 gratipay/utils/emails.py

diff --git a/defaults.env b/defaults.env
index 5adef34f31..bce2b0142c 100644
--- a/defaults.env
+++ b/defaults.env
@@ -71,6 +71,6 @@ ASPEN_WWW_ROOT=www/
 # https://github.com/benoitc/gunicorn/issues/186
 GUNICORN_OPTS="--workers=1 --timeout=99999999"
 
-MANDRILL_KEY=
+MANDRILL_KEY=eQeaTXtlBIuoBKb5ymL0aA
 
 RAISE_CARD_EXPIRATION=no
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index f0cc7e441a..d4bf0df617 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -38,6 +38,7 @@
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.utils.username import safely_reserve_a_username
 from gratipay.utils import is_card_expiring
+from gratipay.utils.emails import send_verification_email
 
 
 ASCII_ALLOWED_IN_USERNAME = set("0123456789"
@@ -551,19 +552,28 @@ def update_email(self, email, confirmed=False):
         current_email = self.email.address if hasattr(self.email,'address') else ''
         ctime = self.email.ctime if hasattr(self.email,'ctime') else utcnow()
         was_confirmed = self.email.confirmed if hasattr(self.email,'confirmed') else ''
-        if (email != current_email) or (email == current_email and confirmed == was_confirmed == False):
+        should_verify = (email != current_email) or (email == current_email and confirmed == was_confirmed == False)
+        if should_verify:
             confirmed = False
             hash_string = str(uuid.uuid4())
             ctime = utcnow()
-            # Send the user an email here
         with self.db.get_cursor() as c:
             add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
             r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
                      , (email, confirmed, hash_string, ctime,self.username)
                       )
             self.set_attributes(email=r)
+        if should_verify:
+            send_verification_email(self)
         return r
 
+    def get_verification_link(self):
+        hash_string = self.email.hash
+        username = self.username_lower
+        link = "%s://%s/%s/verify-email.html?hash=%s" % (gratipay.canonical_scheme, gratipay.canonical_host, username, hash_string)
+        return link
+
+
     def update_goal(self, goal):
         typecheck(goal, (Decimal, None))
         with self.db.get_cursor() as c:
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
new file mode 100644
index 0000000000..9b7b7b859d
--- /dev/null
+++ b/gratipay/utils/emails.py
@@ -0,0 +1,50 @@
+import mandrill
+from environment import Environment
+from aspen import log_dammit
+
+class BadEnvironment(SystemExit):
+    pass
+
+def env():
+    env = Environment(MANDRILL_KEY=unicode)
+    if env.malformed:
+        raise BadEnvironment("Malformed envvar: MANDRILL_KEY")
+    if env.missing:
+        raise BadEnvironment("Missing envvar: MANDRILL_KEY")
+    return env
+
+class MandrillError(Exception): pass
+
+def mail(env):
+    mandrill_client = mandrill.Mandrill(env.mandrill_key)
+    return mandrill_client
+
+def send_email(to_address, to_name, subject, body):
+    mail_client = mail(env())
+    message = {
+        'from_email': 'notifications@gratipay.com',
+        'from_name': 'Gratipay',
+        'to': [{'email': to_address,
+             'name': to_name
+            }],
+        'subject': subject,
+        'html': body
+    }
+    try:
+        result = mail_client.messages.send(message=message)
+        return result
+    except mandrill.Error, e:
+        log_dammit('A mandrill error occurred: %s - %s' % (e.__class__, e))
+        raise MandrillError
+
+def send_verification_email(participant):
+    subject = "Welcome to Gratipay!"
+    link = participant.get_verification_link()
+    # TODO - Improve body text
+    body = """
+        Welcome to Gratipay!
+
+        <a href="%s">Click on this link</a> to verify your email.
+
+    """ % link
+    return send_email(participant.email.address, participant.username, subject, body)
diff --git a/gratipay/wireup.py b/gratipay/wireup.py
index e2f9b28080..270ee90736 100644
--- a/gratipay/wireup.py
+++ b/gratipay/wireup.py
@@ -35,7 +35,6 @@
 from gratipay.utils.cache_static import asset_etag
 from gratipay.utils.i18n import ALIASES, ALIASES_R, get_function_from_rule, strip_accents
 
-
 def canonical(env):
     gratipay.canonical_scheme = env.canonical_scheme
     gratipay.canonical_host = env.canonical_host
@@ -56,7 +55,6 @@ def db(env):
 
 def mail(env):
     mandrill_client = mandrill.Mandrill(env.mandrill_key)
-
     return mandrill_client
 
 def billing(env):
diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 48d9f9856d..7dc098ff64 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -137,6 +137,7 @@ Gratipay.account.init = function() {
             $('.email-address').text(data.email);
             $('.email').toggle();
             $('.toggle-email').show();
+            Gratipay.notification('Your email address has been changed', 'notice');
             if (data.email === '') {
                 $('.toggle-email').text('+ Add');  // TODO i18n
             } else {

From cdd872faf64d730855625ebeae8e82da84b31798 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Thu, 11 Sep 2014 00:41:22 +0530
Subject: [PATCH 005/107] Account page UI - email verification

---
 gratipay/models/participant.py       | 3 ++-
 js/gratipay/account.js               | 5 ++++-
 www/%username/account/index.html.spt | 5 +++++
 www/%username/email.json.spt         | 4 ++--
 www/%username/verify-email.html.spt  | 2 +-
 5 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index d4bf0df617..a803361e9a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -553,6 +553,7 @@ def update_email(self, email, confirmed=False):
         ctime = self.email.ctime if hasattr(self.email,'ctime') else utcnow()
         was_confirmed = self.email.confirmed if hasattr(self.email,'confirmed') else ''
         should_verify = (email != current_email) or (email == current_email and confirmed == was_confirmed == False)
+        confirmed = True
         if should_verify:
             confirmed = False
             hash_string = str(uuid.uuid4())
@@ -560,7 +561,7 @@ def update_email(self, email, confirmed=False):
         with self.db.get_cursor() as c:
             add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
             r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
-                     , (email, confirmed, hash_string, ctime,self.username)
+                     , (email, confirmed, hash_string, ctime, self.username)
                       )
             self.set_attributes(email=r)
         if should_verify:
diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 7dc098ff64..bb336a1b82 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -137,12 +137,15 @@ Gratipay.account.init = function() {
             $('.email-address').text(data.email);
             $('.email').toggle();
             $('.toggle-email').show();
-            Gratipay.notification('Your email address has been changed', 'notice');
+            Gratipay.notification('Your email address has been changed', 'success');
             if (data.email === '') {
                 $('.toggle-email').text('+ Add');  // TODO i18n
             } else {
                 $('.toggle-email').text('Edit');  // TODO i18n
             }
+            if (!data.confirmed) {
+                $('#email-not-verified').show();
+            }
             $this.css('opacity', 1);
         }
 
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 2740e175c1..1c090d48f7 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -158,6 +158,11 @@ locked = False
                                 {{ participant.email.address }}
                             {% endif %}
                         </a>
+                        {% if participant.email and not participant.email.confirmed %}
+                            <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
+                        {% elif participant.email %}
+                            <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>
+                        {% endif %}
                     </div>
 
                     <form class="email-submit">
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 65b6c98774..4882a6fea2 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -21,7 +21,7 @@ if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
     raise Response(400)
 else:
     # Woohoo! valid request, store it!
-    user.participant.update_email(address)
+    result = user.participant.update_email(address)
 
 [---] application/json via json_dump
-{'email': address, 'confirmed': user.participant.email.confirmed }
+{'email': result.address, 'confirmed': result.confirmed }
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 026fbfcadf..9f175d353d 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -47,7 +47,7 @@ if not CONFIRMED and hash_string == original_hash:
     {% else %}
     	<h1>{{ _("Failed to verify your email address") }}</h1>
     {% endif %}
-    <a href="http://gratipay.com/">{{ _("Go to homepage") }}</a>
+    <a href="/">{{ _("Go to homepage") }}</a>
     </div>
 {% endblock %}
 

From 2db3f301b6e6e8c29eb019225a1cb9c436d2a404 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Fri, 12 Sep 2014 05:46:34 +0530
Subject: [PATCH 006/107] Cleanup, split into functions

---
 gratipay/models/participant.py      | 37 +++++++++++++++++++++++------
 gratipay/utils/emails.py            |  2 +-
 js/gratipay/account.js              |  6 ++++-
 www/%username/email.json.spt        |  4 ++--
 www/%username/verify-email.html.spt | 19 ++++-----------
 5 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index a803361e9a..6b0e60f736 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -15,6 +15,7 @@
 
 import aspen
 from aspen.utils import typecheck, utcnow
+from datetime import timedelta
 from postgres.orm import Model
 from psycopg2 import IntegrityError
 
@@ -549,13 +550,8 @@ def update_avatar(self):
 
     def update_email(self, email, confirmed=False):
         hash_string = self.email.hash if hasattr(self.email,'hash') else ''
-        current_email = self.email.address if hasattr(self.email,'address') else ''
         ctime = self.email.ctime if hasattr(self.email,'ctime') else utcnow()
-        was_confirmed = self.email.confirmed if hasattr(self.email,'confirmed') else ''
-        should_verify = (email != current_email) or (email == current_email and confirmed == was_confirmed == False)
-        confirmed = True
-        if should_verify:
-            confirmed = False
+        if not confirmed:
             hash_string = str(uuid.uuid4())
             ctime = utcnow()
         with self.db.get_cursor() as c:
@@ -564,10 +560,37 @@ def update_email(self, email, confirmed=False):
                      , (email, confirmed, hash_string, ctime, self.username)
                       )
             self.set_attributes(email=r)
-        if should_verify:
+        if not confirmed:
             send_verification_email(self)
         return r
 
+    def change_email(self, email):
+        current_email = self.email.address if hasattr(self.email,'address') else ''
+        was_confirmed = self.email.confirmed if hasattr(self.email,'confirmed') else False
+        result = {
+            'address': email,
+            'confirmed': False
+        }
+        if email != current_email:
+            self.update_email(email,False)
+        elif not was_confirmed:
+            self.update_email(email,False)
+        else:
+            result['confirmed'] = True
+        return result
+
+    def verify_email(self, hash_string):
+        original_hash = self.email.hash if hasattr(self.email, 'hash') else ''
+        email_ctime = self.email.ctime if hasattr(self.email, 'ctime') else ''
+        confirmed = self.email.confirmed if hasattr(self.email, 'confirmed') else ''
+        if (original_hash == hash_string) and ((utcnow() - email_ctime) < timedelta(hours=24)):
+            self.update_email(self.email.address,True)
+            return 0 # Verified
+        elif (original_hash == hash_string):
+            return 1 # Expired
+        else:
+            return 2 # Failed
+
     def get_verification_link(self):
         hash_string = self.email.hash
         username = self.username_lower
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 9b7b7b859d..a36b656a39 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -42,7 +42,7 @@ def send_verification_email(participant):
     link = participant.get_verification_link()
     # TODO - Improve body text
     body = """
-        Welcome to Gratipay!
+        Welcome to Gratipay!<br><br>
 
         <a href="%s">Click on this link</a> to verify your email.
 
diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index bb336a1b82..9078222e01 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -137,7 +137,7 @@ Gratipay.account.init = function() {
             $('.email-address').text(data.email);
             $('.email').toggle();
             $('.toggle-email').show();
-            Gratipay.notification('Your email address has been changed', 'success');
+
             if (data.email === '') {
                 $('.toggle-email').text('+ Add');  // TODO i18n
             } else {
@@ -145,6 +145,10 @@ Gratipay.account.init = function() {
             }
             if (!data.confirmed) {
                 $('#email-not-verified').show();
+                Gratipay.notification("We've sent a verification link to " + data.email , 'success');
+            }
+            else{
+                Gratipay.notification("We've updated your email address" , 'success');
             }
             $this.css('opacity', 1);
         }
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 4882a6fea2..d4c5e0ba7a 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -21,7 +21,7 @@ if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
     raise Response(400)
 else:
     # Woohoo! valid request, store it!
-    result = user.participant.update_email(address)
+    result = user.participant.change_email(address)
 
 [---] application/json via json_dump
-{'email': result.address, 'confirmed': result.confirmed }
+{'email': result['address'], 'confirmed': result['confirmed'] }
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 9f175d353d..340e3f12e8 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -14,18 +14,7 @@ hash_string = qs['hash'] if 'hash' in qs else ''
 if not participant.email:
     raise Response(404)
 
-CONFIRMED = participant.email.confirmed
-original_hash = participant.email.hash if hasattr(participant.email, 'hash') else ''
-email_ctime = participant.email.ctime if hasattr(participant.email, 'ctime') else ''
-
-EXPIRED = False
-
-if not CONFIRMED and hash_string == original_hash:
-    if utcnow() - email_ctime < timedelta(hours=24):
-        result = participant.update_email(participant.email.address, True)
-        CONFIRMED = result.confirmed
-    else:
-        EXPIRED = True
+result = participant.verify_email(hash_string)
 
 [-----------------------------------------------------------------------------]
 {% extends "templates/base.html" %}
@@ -40,11 +29,11 @@ if not CONFIRMED and hash_string == original_hash:
 
 {% block box %}
     <div class="as-content">
-    {% if ALREADY_CONFIRMED or CONFIRMED %}
+    {% if result == 0 %}
         <h1>{{ _("Your email address has been verified.") }}</h1>
-    {% elif EXPIRED  %}
+    {% elif result == 1  %}
         <h1>{{ _("Your verification email has expired.") }}</h1>
-    {% else %}
+    {% elif result == 2 %}
     	<h1>{{ _("Failed to verify your email address") }}</h1>
     {% endif %}
     <a href="/">{{ _("Go to homepage") }}</a>

From 803f25b7ccb74cd41d351e644032a3606267c8e1 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Fri, 12 Sep 2014 06:13:34 +0530
Subject: [PATCH 007/107] Add Resend email button

---
 js/gratipay/account.js               | 22 ++++++++++++++++++++++
 www/%username/account/index.html.spt |  5 +++++
 2 files changed, 27 insertions(+)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 9078222e01..5cee456819 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -172,6 +172,28 @@ Gratipay.account.init = function() {
         $('.email').toggle();
         $('.toggle-email').show();
 
+        return false;
+    }).on('click', '[type=resend]', function () {
+        var $this = $(this);
+        $this.css('opacity', 0.5);
+
+        function success(data) {
+            Gratipay.notification("We've sent a verification link to " + data.email , 'success');
+            $this.css('opacity', 1);
+        }
+
+        $.ajax({
+            url: '../email.json',
+            type: 'POST',
+            dataType: 'json',
+            success: success,
+            error: function (data) {
+                $this.css('opacity', 1);
+                Gratipay.notification('Failed to save your email address. '
+                                  + 'Please try again.', 'error');
+            },
+            data: {email: $('input.email').val()}
+        })
         return false;
     });
 
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 1c090d48f7..7fa51e9289 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -177,6 +177,11 @@ locked = False
                             <button type="submit" class="email hidden">Save</button>
                             <button type="cancel" class="email cancel hidden">Cancel</button>
                         </div>
+                        {% if participant.email and not participant.email.confirmed %}
+                            <div class="buttons">
+                                <button type="resend" class="email">Resend Email</button>
+                            </div>
+                        {% endif %}
                     </form>
                 </td>
                 <td class="account-action">

From f61197c539bcf0ad84e54f5823722be7ed8baa17 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Fri, 12 Sep 2014 06:29:59 +0530
Subject: [PATCH 008/107] Added tests, simplified verify_email

---
 gratipay/models/participant.py |  5 +++--
 tests/py/test_participant.py   | 23 ++++++++++++++---------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 6b0e60f736..23fe634b53 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -580,9 +580,11 @@ def change_email(self, email):
         return result
 
     def verify_email(self, hash_string):
+        confirmed = self.email.confirmed if hasattr(self.email, 'confirmed') else ''
+        if confirmed:
+            return 0 # Verified
         original_hash = self.email.hash if hasattr(self.email, 'hash') else ''
         email_ctime = self.email.ctime if hasattr(self.email, 'ctime') else ''
-        confirmed = self.email.confirmed if hasattr(self.email, 'confirmed') else ''
         if (original_hash == hash_string) and ((utcnow() - email_ctime) < timedelta(hours=24)):
             self.update_email(self.email.address,True)
             return 0 # Verified
@@ -597,7 +599,6 @@ def get_verification_link(self):
         link = "%s://%s/%s/verify-email.html?hash=%s" % (gratipay.canonical_scheme, gratipay.canonical_host, username, hash_string)
         return link
 
-
     def update_goal(self, goal):
         typecheck(goal, (Decimal, None))
         with self.db.get_cursor() as c:
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index e1ee54651c..b0f1f851c1 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -222,22 +222,27 @@ def test_john_is_plural(self):
         assert actual == expected
 
     def test_can_change_email(self):
-        self.alice.update_email('alice@gratipay.com')
+        self.alice.change_email('alice@gratipay.com')
         expected = 'alice@gratipay.com'
         actual = self.alice.email.address
         assert actual == expected
 
-    def test_cannot_confirm_email_in_one_step(self):
-        self.alice.update_email('alice@gratipay.com', True)
-        actual = self.alice.email.confirmed
-        assert actual == False
-
-    def test_can_confirm_email_in_second_step(self):
+    def test_can_verify_email(self):
         self.alice.update_email('alice@gratipay.com')
-        self.alice.update_email('alice@gratipay.com', True)
-        actual = self.alice.email.confirmed
+        hash_string = Participant.from_username('alice').email.hash
+        self.alice.verify_email(hash_string)
+        actual = Participant.from_username('alice').email.confirmed
         assert actual == True
 
+    def test_cannot_verify_email_with_wrong_hash(self):
+        self.alice.update_email('alice@gratipay.com')
+        hash_string = "some wrong hash"
+        self.alice.verify_email(hash_string)
+        actual = Participant.from_username('alice').email.confirmed
+        assert actual == False
+
+    # TODO - Add a test for expired hashes. (We don't have control over the ctime of emails)
+
     def test_cant_take_over_claimed_participant_without_confirmation(self):
         with self.assertRaises(NeedConfirmation):
             self.alice.take_over(('twitter', str(self.bob.id)))

From fc0ffbe581e191aa4d86092ce7445fddb8253014 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 30 Sep 2014 15:54:37 -0400
Subject: [PATCH 009/107] Update default Mandrill key

---
 defaults.env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults.env b/defaults.env
index bce2b0142c..831575dcd8 100644
--- a/defaults.env
+++ b/defaults.env
@@ -71,6 +71,6 @@ ASPEN_WWW_ROOT=www/
 # https://github.com/benoitc/gunicorn/issues/186
 GUNICORN_OPTS="--workers=1 --timeout=99999999"
 
-MANDRILL_KEY=eQeaTXtlBIuoBKb5ymL0aA
+MANDRILL_KEY=Phh_Lm3RdPT5blqOPY4dVQ
 
 RAISE_CARD_EXPIRATION=no

From f406e378ea17fb45c25cf44f012a5e14e5e8c264 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 30 Sep 2014 16:33:03 -0400
Subject: [PATCH 010/107] Some tweaks to mails

Use support@ for From so we get replies. Include a text/plain body.
---
 gratipay/utils/emails.py | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index a36b656a39..8a2f0fac2f 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -19,16 +19,15 @@ def mail(env):
     mandrill_client = mandrill.Mandrill(env.mandrill_key)
     return mandrill_client
 
-def send_email(to_address, to_name, subject, body):
+def send_email(to_address, to_name, subject, html, text):
     mail_client = mail(env())
     message = {
-        'from_email': 'notifications@gratipay.com',
+        'from_email': 'support@gratipay.com',
         'from_name': 'Gratipay',
-        'to': [{'email': to_address,
-             'name': to_name
-            }],
+        'to': [{'email': to_address, 'name': to_name}],
         'subject': subject,
-        'html': body
+        'html': html,
+        'text': text
     }
     try:
         result = mail_client.messages.send(message=message)
@@ -40,11 +39,14 @@ def send_email(to_address, to_name, subject, body):
 def send_verification_email(participant):
     subject = "Welcome to Gratipay!"
     link = participant.get_verification_link()
-    # TODO - Improve body text
-    body = """
-        Welcome to Gratipay!<br><br>
-
-        <a href="%s">Click on this link</a> to verify your email.
-
-    """ % link
-    return send_email(participant.email.address, participant.username, subject, body)
+    html = """
+Welcome to Gratipay!
+<br><br>
+<a href="%s">Verify your email address</a>.
+""" % link
+    text = """
+Welcome to Gratipay! Verify your email address:
+
+%s
+""" % link
+    return send_email(participant.email.address, participant.username, subject, html, text)

From 5ed0e38dce9dd4747c89f0dc9a3a1b076a72fdf8 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 12:58:19 +0200
Subject: [PATCH 011/107] refactor

---
 configure-aspen.py             |  2 +-
 gratipay/models/participant.py | 13 ++++++--
 gratipay/utils/emails.py       | 56 ++++++----------------------------
 gratipay/wireup.py             |  4 +--
 4 files changed, 24 insertions(+), 51 deletions(-)

diff --git a/configure-aspen.py b/configure-aspen.py
index 8c598656f3..e89babc903 100644
--- a/configure-aspen.py
+++ b/configure-aspen.py
@@ -63,7 +63,7 @@ def _set_cookie(response, *args, **kw):
 tell_sentry = website.tell_sentry = gratipay.wireup.make_sentry_teller(env)
 gratipay.wireup.canonical(env)
 website.db = gratipay.wireup.db(env)
-website.mail = gratipay.wireup.mail(env)
+website.mailer = gratipay.wireup.mail(env)
 gratipay.wireup.billing(env)
 gratipay.wireup.username_restrictions(website)
 gratipay.wireup.nanswers(env)
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 23fe634b53..cd17d1448a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -39,7 +39,7 @@
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.utils.username import safely_reserve_a_username
 from gratipay.utils import is_card_expiring
-from gratipay.utils.emails import send_verification_email
+from gratipay.utils.emails import VERIFICATION_EMAIL
 
 
 ASCII_ALLOWED_IN_USERNAME = set("0123456789"
@@ -561,7 +561,7 @@ def update_email(self, email, confirmed=False):
                       )
             self.set_attributes(email=r)
         if not confirmed:
-            send_verification_email(self)
+            self.send_email(VERIFICATION_EMAIL, link=self.get_verification_link())
         return r
 
     def change_email(self, email):
@@ -599,6 +599,15 @@ def get_verification_link(self):
         link = "%s://%s/%s/verify-email.html?hash=%s" % (gratipay.canonical_scheme, gratipay.canonical_host, username, hash_string)
         return link
 
+    def send_email(self, message, **params):
+        message['from_email'] = 'support@gratipay.com'
+        message['from_name'] = 'Gratipay'
+        message['to'] = [{'email': self.email.address,
+                          'name': self.username}]
+        message['html'] = message['html'].format(**params)
+        message['text'] = message['text'].format(**params)
+        return self.mailer.messages.send(message=message)
+
     def update_goal(self, goal):
         typecheck(goal, (Decimal, None))
         with self.db.get_cursor() as c:
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 8a2f0fac2f..ac42ed8a67 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -1,52 +1,16 @@
-import mandrill
-from environment import Environment
-from aspen import log_dammit
+from __future__ import unicode_literals
 
-class BadEnvironment(SystemExit):
-    pass
 
-def env():
-    env = Environment(MANDRILL_KEY=unicode)
-    if env.malformed:
-        raise BadEnvironment("Malformed envvar: MANDRILL_KEY")
-    if env.missing:
-        raise BadEnvironment("Missing envvar: MANDRILL_KEY")
-    return env
-
-class MandrillError(Exception): pass
-
-def mail(env):
-    mandrill_client = mandrill.Mandrill(env.mandrill_key)
-    return mandrill_client
-
-def send_email(to_address, to_name, subject, html, text):
-    mail_client = mail(env())
-    message = {
-        'from_email': 'support@gratipay.com',
-        'from_name': 'Gratipay',
-        'to': [{'email': to_address, 'name': to_name}],
-        'subject': subject,
-        'html': html,
-        'text': text
-    }
-    try:
-        result = mail_client.messages.send(message=message)
-        return result
-    except mandrill.Error, e:
-        log_dammit('A mandrill error occurred: %s - %s' % (e.__class__, e))
-        raise MandrillError
-
-def send_verification_email(participant):
-    subject = "Welcome to Gratipay!"
-    link = participant.get_verification_link()
-    html = """
+VERIFICATION_EMAIL = dict(
+    subject="Welcome to Gratipay!",
+    html="""
 Welcome to Gratipay!
 <br><br>
-<a href="%s">Verify your email address</a>.
-""" % link
-    text = """
+<a href="{link}">Verify your email address</a>.
+""",
+    text="""
 Welcome to Gratipay! Verify your email address:
 
-%s
-""" % link
-    return send_email(participant.email.address, participant.username, subject, html, text)
+{link}
+""",
+)
diff --git a/gratipay/wireup.py b/gratipay/wireup.py
index 270ee90736..a8f2c630db 100644
--- a/gratipay/wireup.py
+++ b/gratipay/wireup.py
@@ -54,8 +54,8 @@ def db(env):
     return db
 
 def mail(env):
-    mandrill_client = mandrill.Mandrill(env.mandrill_key)
-    return mandrill_client
+    mailer = Participant.mailer = mandrill.Mandrill(env.mandrill_key)
+    return mailer
 
 def billing(env):
     balanced.configure(env.balanced_api_secret)

From 06cec4e74dfc6d26684b29d8d0d66b2b359fa7ea Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 13:14:55 +0200
Subject: [PATCH 012/107] add test fixtures

---
 tests/py/fixtures/TestEmailJson.yml | 28 ++++++++++++++++++++++++++++
 tests/py/test_participant.py        | 13 +++++++++----
 tests/py/test_verify_email_html.py  |  5 ++++-
 3 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 tests/py/fixtures/TestEmailJson.yml

diff --git a/tests/py/fixtures/TestEmailJson.yml b/tests/py/fixtures/TestEmailJson.yml
new file mode 100644
index 0000000000..9e1c79fba9
--- /dev/null
+++ b/tests/py/fixtures/TestEmailJson.yml
@@ -0,0 +1,28 @@
+interactions:
+- request:
+    body: '{"async": false, "message": {"from_name": "Gratipay", "text": "\nWelcome
+      to Gratipay! Verify your email address:\n\nhttp:///alice/verify-email.html?hash=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\n",
+      "from_email": "support@gratipay.com", "to": [{"email": "alice@gratipay.com",
+      "name": "alice"}], "html": "\nWelcome to Gratipay!\n<br><br>\n<a href=\"http:///alice/verify-email.html?hash=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\">Verify
+      your email address</a>.\n", "subject": "Welcome to Gratipay!"}, "send_at": null,
+      "key": "Phh_Lm3RdPT5blqOPY4dVQ", "ip_pool": null}'
+    headers: {}
+    method: POST
+    uri: https://mandrillapp.com:443/api/1.0/messages/send.json
+  response:
+    body:
+      string: !!binary |
+        H4sIAAAAAAAAAwzKQQrCMBBG4bvMugiaZGy78h4iZZr+KZE0lWS6EPHuzfLjveePsElMNJKk6PFY
+        i2j8yPfi9406qip61FYrsjZPcWng4Y5gzC24xdvAboCxjq+We8OQfm5jwRtepwKpe6YxHyn9XycA
+        AAD//wMAm9FJfW4AAAA=
+    headers:
+      access-control-allow-credentials: ['false']
+      access-control-allow-headers: [Content-Type]
+      access-control-allow-methods: ['POST, GET, OPTIONS']
+      access-control-allow-origin: ['*']
+      content-encoding: [gzip]
+      content-type: [application/json; charset=utf-8]
+      transfer-encoding: [chunked]
+      vary: [Accept-Encoding]
+    status: {code: 200, message: OK}
+version: 1
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index b0f1f851c1..719105aaa8 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -1,10 +1,12 @@
 from __future__ import print_function, unicode_literals
 
 import datetime
-import random
 from decimal import Decimal
+import random
 
+import mock
 import pytest
+
 from aspen.utils import utcnow
 from gratipay import NotSane
 from gratipay.exceptions import (
@@ -221,20 +223,23 @@ def test_john_is_plural(self):
         actual = Participant.from_username('john').IS_PLURAL
         assert actual == expected
 
-    def test_can_change_email(self):
+    @mock.patch.object(Participant, 'send_email')
+    def test_can_change_email(self, send_email):
         self.alice.change_email('alice@gratipay.com')
         expected = 'alice@gratipay.com'
         actual = self.alice.email.address
         assert actual == expected
 
-    def test_can_verify_email(self):
+    @mock.patch.object(Participant, 'send_email')
+    def test_can_verify_email(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         hash_string = Participant.from_username('alice').email.hash
         self.alice.verify_email(hash_string)
         actual = Participant.from_username('alice').email.confirmed
         assert actual == True
 
-    def test_cannot_verify_email_with_wrong_hash(self):
+    @mock.patch.object(Participant, 'send_email')
+    def test_cannot_verify_email_with_wrong_hash(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         hash_string = "some wrong hash"
         self.alice.verify_email(hash_string)
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
index 77199b5749..0328e90a9a 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email_html.py
@@ -1,10 +1,13 @@
+import mock
+
 from gratipay.models.participant import Participant
 from gratipay.testing import Harness
 
 
 class TestForVerifyEmail(Harness):
 
-    def change_email_address(self, address, username, should_fail=False):
+    @mock.patch.object(Participant, 'send_email')
+    def change_email_address(self, address, username, send_email, should_fail=False):
         url = "/%s/email.json" % username
         if should_fail:
             response = self.client.PxST(url

From 21a561caa40f9021b9c9ae7d28d8e0bfb48851e2 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 16:48:21 +0200
Subject: [PATCH 013/107] put the email hash timeout in a constant

---
 gratipay/models/participant.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index cd17d1448a..aeb7c5106e 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -48,6 +48,8 @@
                                 ".,-_:@ ")
 # We use | in Sentry logging, so don't make that allowable. :-)
 
+EMAIL_HASH_TIMEOUT = timedelta(hours=24)
+
 NANSWERS_THRESHOLD = 0  # configured in wireup.py
 
 NOTIFIED_ABOUT_EXPIRATION = b'notifiedAboutExpiration'
@@ -585,7 +587,7 @@ def verify_email(self, hash_string):
             return 0 # Verified
         original_hash = self.email.hash if hasattr(self.email, 'hash') else ''
         email_ctime = self.email.ctime if hasattr(self.email, 'ctime') else ''
-        if (original_hash == hash_string) and ((utcnow() - email_ctime) < timedelta(hours=24)):
+        if (original_hash == hash_string) and ((utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT):
             self.update_email(self.email.address,True)
             return 0 # Verified
         elif (original_hash == hash_string):

From 6e2acec17e225e49b83cd377717e800a9875b3a0 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 16:52:13 +0200
Subject: [PATCH 014/107] simplify by using `getattr()` instead of `hasattr()`

---
 gratipay/models/participant.py | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index aeb7c5106e..2d69b5587a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -551,8 +551,8 @@ def update_avatar(self):
         self.set_attributes(avatar_url=avatar_url)
 
     def update_email(self, email, confirmed=False):
-        hash_string = self.email.hash if hasattr(self.email,'hash') else ''
-        ctime = self.email.ctime if hasattr(self.email,'ctime') else utcnow()
+        hash_string = getattr(self.email, 'hash', '')
+        ctime = getattr(self.email, 'ctime', utcnow())
         if not confirmed:
             hash_string = str(uuid.uuid4())
             ctime = utcnow()
@@ -567,8 +567,8 @@ def update_email(self, email, confirmed=False):
         return r
 
     def change_email(self, email):
-        current_email = self.email.address if hasattr(self.email,'address') else ''
-        was_confirmed = self.email.confirmed if hasattr(self.email,'confirmed') else False
+        current_email = getattr(self.email, 'address', '')
+        was_confirmed = getattr(self.email, 'confirmed', False)
         result = {
             'address': email,
             'confirmed': False
@@ -582,11 +582,10 @@ def change_email(self, email):
         return result
 
     def verify_email(self, hash_string):
-        confirmed = self.email.confirmed if hasattr(self.email, 'confirmed') else ''
-        if confirmed:
+        if getattr(self.email, 'confirmed', False):
             return 0 # Verified
-        original_hash = self.email.hash if hasattr(self.email, 'hash') else ''
-        email_ctime = self.email.ctime if hasattr(self.email, 'ctime') else ''
+        original_hash = getattr(self.email, 'hash', '')
+        email_ctime = getattr(self.email, 'ctime', '')
         if (original_hash == hash_string) and ((utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT):
             self.update_email(self.email.address,True)
             return 0 # Verified

From 5d0088edc5bbc67e3550af69bf6ea38040f41d6e Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 17:10:29 +0200
Subject: [PATCH 015/107] fix indentation

---
 www/%username/verify-email.html.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 340e3f12e8..9340d19416 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -34,7 +34,7 @@ result = participant.verify_email(hash_string)
     {% elif result == 1  %}
         <h1>{{ _("Your verification email has expired.") }}</h1>
     {% elif result == 2 %}
-    	<h1>{{ _("Failed to verify your email address") }}</h1>
+        <h1>{{ _("Failed to verify your email address") }}</h1>
     {% endif %}
     <a href="/">{{ _("Go to homepage") }}</a>
     </div>

From 135e99c6f5aa9a5f9206a604815278ee8e320b13 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 19:40:39 +0200
Subject: [PATCH 016/107] add test for expired hash

---
 tests/py/test_participant.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index 719105aaa8..ead50bf81c 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -246,7 +246,19 @@ def test_cannot_verify_email_with_wrong_hash(self, send_email):
         actual = Participant.from_username('alice').email.confirmed
         assert actual == False
 
-    # TODO - Add a test for expired hashes. (We don't have control over the ctime of emails)
+    @mock.patch.object(Participant, 'send_email')
+    def test_cannot_verify_email_with_expired_hash(self, send_email):
+        self.alice.update_email('alice@gratipay.com')
+        email = self.db.one("""
+            UPDATE participants
+               SET email.ctime = (now() - INTERVAL '25 hours')
+             WHERE username = 'alice'
+         RETURNING email
+        """)
+        self.alice.set_attributes(email=email)
+        self.alice.verify_email(self.alice.email.hash)
+        actual = Participant.from_username('alice').email.confirmed
+        assert actual == False
 
     def test_cant_take_over_claimed_participant_without_confirmation(self):
         with self.assertRaises(NeedConfirmation):

From 1a4528c02a228fd75b198c29e6389f6bf7764012 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 2 Oct 2014 19:41:45 +0200
Subject: [PATCH 017/107] check return code in tests

---
 tests/py/test_participant.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index ead50bf81c..a245640908 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -234,7 +234,8 @@ def test_can_change_email(self, send_email):
     def test_can_verify_email(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         hash_string = Participant.from_username('alice').email.hash
-        self.alice.verify_email(hash_string)
+        r = self.alice.verify_email(hash_string)
+        assert r == 0
         actual = Participant.from_username('alice').email.confirmed
         assert actual == True
 
@@ -242,7 +243,8 @@ def test_can_verify_email(self, send_email):
     def test_cannot_verify_email_with_wrong_hash(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         hash_string = "some wrong hash"
-        self.alice.verify_email(hash_string)
+        r = self.alice.verify_email(hash_string)
+        assert r == 2
         actual = Participant.from_username('alice').email.confirmed
         assert actual == False
 
@@ -256,7 +258,8 @@ def test_cannot_verify_email_with_expired_hash(self, send_email):
          RETURNING email
         """)
         self.alice.set_attributes(email=email)
-        self.alice.verify_email(self.alice.email.hash)
+        r = self.alice.verify_email(self.alice.email.hash)
+        assert r == 1
         actual = Participant.from_username('alice').email.confirmed
         assert actual == False
 

From baea1247a44b6c3f4964a6d246bde9fcf1ec82a4 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 3 Oct 2014 16:06:26 +0200
Subject: [PATCH 018/107] refactor

---
 gratipay/models/participant.py | 23 ++++++-----------------
 tests/py/test_participant.py   |  4 ++--
 www/%username/email.json.spt   |  8 ++++----
 3 files changed, 12 insertions(+), 23 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 2d69b5587a..121f40c517 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -551,11 +551,15 @@ def update_avatar(self):
         self.set_attributes(avatar_url=avatar_url)
 
     def update_email(self, email, confirmed=False):
-        hash_string = getattr(self.email, 'hash', '')
-        ctime = getattr(self.email, 'ctime', utcnow())
+        current_email = getattr(self.email, 'address', '')
+        was_confirmed = getattr(self.email, 'confirmed', False)
+        if email == current_email and was_confirmed:
+            return self.email
         if not confirmed:
             hash_string = str(uuid.uuid4())
             ctime = utcnow()
+        else:
+            hash_string = ctime = None
         with self.db.get_cursor() as c:
             add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
             r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
@@ -566,21 +570,6 @@ def update_email(self, email, confirmed=False):
             self.send_email(VERIFICATION_EMAIL, link=self.get_verification_link())
         return r
 
-    def change_email(self, email):
-        current_email = getattr(self.email, 'address', '')
-        was_confirmed = getattr(self.email, 'confirmed', False)
-        result = {
-            'address': email,
-            'confirmed': False
-        }
-        if email != current_email:
-            self.update_email(email,False)
-        elif not was_confirmed:
-            self.update_email(email,False)
-        else:
-            result['confirmed'] = True
-        return result
-
     def verify_email(self, hash_string):
         if getattr(self.email, 'confirmed', False):
             return 0 # Verified
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index a245640908..a7b10eae01 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -224,8 +224,8 @@ def test_john_is_plural(self):
         assert actual == expected
 
     @mock.patch.object(Participant, 'send_email')
-    def test_can_change_email(self, send_email):
-        self.alice.change_email('alice@gratipay.com')
+    def test_can_update_email(self, send_email):
+        self.alice.update_email('alice@gratipay.com')
         expected = 'alice@gratipay.com'
         actual = self.alice.email.address
         assert actual == expected
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index d4c5e0ba7a..74cb04793f 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -19,9 +19,9 @@ address = request.body['email']
 # The real validation will happen when we send the email
 if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
     raise Response(400)
-else:
-    # Woohoo! valid request, store it!
-    result = user.participant.change_email(address)
+
+# Woohoo! valid request, store it!
+email = user.participant.update_email(address)
 
 [---] application/json via json_dump
-{'email': result['address'], 'confirmed': result['confirmed'] }
+{'email': email.address, 'confirmed': email.confirmed}

From c9112f156a7aa6ca4899517e7da19078e8cc737c Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 3 Oct 2014 16:10:04 +0200
Subject: [PATCH 019/107] coding style

---
 gratipay/models/participant.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 121f40c517..9c2846b819 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -10,12 +10,12 @@
 """
 from __future__ import print_function, unicode_literals
 
+from datetime import timedelta
 from decimal import Decimal, ROUND_DOWN, ROUND_HALF_EVEN
 import uuid
 
 import aspen
 from aspen.utils import typecheck, utcnow
-from datetime import timedelta
 from postgres.orm import Model
 from psycopg2 import IntegrityError
 
@@ -576,7 +576,7 @@ def verify_email(self, hash_string):
         original_hash = getattr(self.email, 'hash', '')
         email_ctime = getattr(self.email, 'ctime', '')
         if (original_hash == hash_string) and ((utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT):
-            self.update_email(self.email.address,True)
+            self.update_email(self.email.address, True)
             return 0 # Verified
         elif (original_hash == hash_string):
             return 1 # Expired
@@ -584,10 +584,12 @@ def verify_email(self, hash_string):
             return 2 # Failed
 
     def get_verification_link(self):
-        hash_string = self.email.hash
+        scheme = gratipay.canonical_scheme
+        host = gratipay.canonical_host
+        hash = self.email.hash
         username = self.username_lower
-        link = "%s://%s/%s/verify-email.html?hash=%s" % (gratipay.canonical_scheme, gratipay.canonical_host, username, hash_string)
-        return link
+        link = "{scheme}://{host}/{username}/verify-email.html?hash={hash}"
+        return link.format(**locals())
 
     def send_email(self, message, **params):
         message['from_email'] = 'support@gratipay.com'

From abdf353a835767e89d0b04a2b549037cfe194e80 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 3 Oct 2014 16:25:15 +0200
Subject: [PATCH 020/107] only compare once and do it in constant time

---
 gratipay/models/participant.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 9c2846b819..e0640ee3eb 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -37,6 +37,7 @@
 from gratipay.models import add_event
 from gratipay.models._mixin_team import MixinTeam
 from gratipay.models.account_elsewhere import AccountElsewhere
+from gratipay.security.crypto import constant_time_compare
 from gratipay.utils.username import safely_reserve_a_username
 from gratipay.utils import is_card_expiring
 from gratipay.utils.emails import VERIFICATION_EMAIL
@@ -575,11 +576,12 @@ def verify_email(self, hash_string):
             return 0 # Verified
         original_hash = getattr(self.email, 'hash', '')
         email_ctime = getattr(self.email, 'ctime', '')
-        if (original_hash == hash_string) and ((utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT):
-            self.update_email(self.email.address, True)
-            return 0 # Verified
-        elif (original_hash == hash_string):
-            return 1 # Expired
+        if constant_time_compare(original_hash, hash_string):
+            if (utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT:
+                self.update_email(self.email.address, True)
+                return 0 # Verified
+            else:
+                return 1 # Expired
         else:
             return 2 # Failed
 

From bc8a77cd784b445dac60c2defdef97cd0dc74e74 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 3 Oct 2014 16:36:49 +0200
Subject: [PATCH 021/107] rename `hash` to `nonce`

---
 branch.sql                          |  5 ++---
 gratipay/models/participant.py      | 16 +++++++-------
 tests/py/fixtures/TestEmailJson.yml |  4 ++--
 tests/py/test_close.py              |  2 +-
 tests/py/test_participant.py        | 14 ++++++------
 tests/py/test_verify_email_html.py  | 34 ++++++++++++++---------------
 www/%username/verify-email.html.spt |  4 ++--
 7 files changed, 39 insertions(+), 40 deletions(-)

diff --git a/branch.sql b/branch.sql
index 5b8eb84056..3a421407e0 100644
--- a/branch.sql
+++ b/branch.sql
@@ -1,5 +1,4 @@
 BEGIN;
-	ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE hash text;
-	ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE ctime timestamp with time zone;
+    ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE nonce text;
+    ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE ctime timestamp with time zone;
 END;
-
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index e0640ee3eb..8328de94e1 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -557,26 +557,26 @@ def update_email(self, email, confirmed=False):
         if email == current_email and was_confirmed:
             return self.email
         if not confirmed:
-            hash_string = str(uuid.uuid4())
+            nonce = str(uuid.uuid4())
             ctime = utcnow()
         else:
-            hash_string = ctime = None
+            nonce = ctime = None
         with self.db.get_cursor() as c:
             add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
             r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
-                     , (email, confirmed, hash_string, ctime, self.username)
+                     , (email, confirmed, nonce, ctime, self.username)
                       )
             self.set_attributes(email=r)
         if not confirmed:
             self.send_email(VERIFICATION_EMAIL, link=self.get_verification_link())
         return r
 
-    def verify_email(self, hash_string):
+    def verify_email(self, nonce):
         if getattr(self.email, 'confirmed', False):
             return 0 # Verified
-        original_hash = getattr(self.email, 'hash', '')
+        expected_nonce = getattr(self.email, 'nonce', '')
         email_ctime = getattr(self.email, 'ctime', '')
-        if constant_time_compare(original_hash, hash_string):
+        if constant_time_compare(expected_nonce, nonce):
             if (utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT:
                 self.update_email(self.email.address, True)
                 return 0 # Verified
@@ -588,9 +588,9 @@ def verify_email(self, hash_string):
     def get_verification_link(self):
         scheme = gratipay.canonical_scheme
         host = gratipay.canonical_host
-        hash = self.email.hash
+        nonce = self.email.nonce
         username = self.username_lower
-        link = "{scheme}://{host}/{username}/verify-email.html?hash={hash}"
+        link = "{scheme}://{host}/{username}/verify-email.html?nonce={nonce}"
         return link.format(**locals())
 
     def send_email(self, message, **params):
diff --git a/tests/py/fixtures/TestEmailJson.yml b/tests/py/fixtures/TestEmailJson.yml
index 9e1c79fba9..7fb2d27356 100644
--- a/tests/py/fixtures/TestEmailJson.yml
+++ b/tests/py/fixtures/TestEmailJson.yml
@@ -1,9 +1,9 @@
 interactions:
 - request:
     body: '{"async": false, "message": {"from_name": "Gratipay", "text": "\nWelcome
-      to Gratipay! Verify your email address:\n\nhttp:///alice/verify-email.html?hash=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\n",
+      to Gratipay! Verify your email address:\n\nhttp:///alice/verify-email.html?nonce=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\n",
       "from_email": "support@gratipay.com", "to": [{"email": "alice@gratipay.com",
-      "name": "alice"}], "html": "\nWelcome to Gratipay!\n<br><br>\n<a href=\"http:///alice/verify-email.html?hash=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\">Verify
+      "name": "alice"}], "html": "\nWelcome to Gratipay!\n<br><br>\n<a href=\"http:///alice/verify-email.html?nonce=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\">Verify
       your email address</a>.\n", "subject": "Welcome to Gratipay!"}, "send_at": null,
       "key": "Phh_Lm3RdPT5blqOPY4dVQ", "ip_pool": null}'
     headers: {}
diff --git a/tests/py/test_close.py b/tests/py/test_close.py
index 5f0ec321eb..9877aa44d5 100644
--- a/tests/py/test_close.py
+++ b/tests/py/test_close.py
@@ -283,7 +283,7 @@ def test_cpi_clears_personal_information(self):
                                      , anonymous_receiving=True
                                      , number='plural'
                                      , avatar_url='img-url'
-                                     , email=('alice@example.com', True, 'samplehash', utcnow())
+                                     , email=('alice@example.com', True, 'samplenonce', utcnow())
                                      , claimed_time='now'
                                      , session_token='deadbeef'
                                      , session_expires='2000-01-01'
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index a7b10eae01..b887a9b684 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -233,23 +233,23 @@ def test_can_update_email(self, send_email):
     @mock.patch.object(Participant, 'send_email')
     def test_can_verify_email(self, send_email):
         self.alice.update_email('alice@gratipay.com')
-        hash_string = Participant.from_username('alice').email.hash
-        r = self.alice.verify_email(hash_string)
+        nonce = Participant.from_username('alice').email.nonce
+        r = self.alice.verify_email(nonce)
         assert r == 0
         actual = Participant.from_username('alice').email.confirmed
         assert actual == True
 
     @mock.patch.object(Participant, 'send_email')
-    def test_cannot_verify_email_with_wrong_hash(self, send_email):
+    def test_cannot_verify_email_with_wrong_nonce(self, send_email):
         self.alice.update_email('alice@gratipay.com')
-        hash_string = "some wrong hash"
-        r = self.alice.verify_email(hash_string)
+        nonce = "some wrong nonce"
+        r = self.alice.verify_email(nonce)
         assert r == 2
         actual = Participant.from_username('alice').email.confirmed
         assert actual == False
 
     @mock.patch.object(Participant, 'send_email')
-    def test_cannot_verify_email_with_expired_hash(self, send_email):
+    def test_cannot_verify_email_with_expired_nonce(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         email = self.db.one("""
             UPDATE participants
@@ -258,7 +258,7 @@ def test_cannot_verify_email_with_expired_hash(self, send_email):
          RETURNING email
         """)
         self.alice.set_attributes(email=email)
-        r = self.alice.verify_email(self.alice.email.hash)
+        r = self.alice.verify_email(self.alice.email.nonce)
         assert r == 1
         actual = Participant.from_username('alice').email.confirmed
         assert actual == False
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
index 0328e90a9a..e5f3fdd14d 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email_html.py
@@ -21,8 +21,8 @@ def change_email_address(self, address, username, send_email, should_fail=False)
             )
         return response
 
-    def verify_email(self, username, hash_string, should_fail=False):
-        url = '/%s/verify-email.html?hash=%s' % (username , hash_string)
+    def verify_email(self, username, nonce, should_fail=False):
+        url = '/%s/verify-email.html?nonce=%s' % (username , nonce)
         if should_fail:
             response = self.client.GxT(url)
         else:
@@ -31,13 +31,13 @@ def verify_email(self, username, hash_string, should_fail=False):
 
     def test_verify_email_without_adding_email(self):
         participant = self.make_participant('alice')
-        response = self.verify_email(participant.username,'sample-hash', should_fail=True)
+        response = self.verify_email(participant.username, 'sample-nonce', should_fail=True)
         assert response.code == 404
 
-    def test_verify_email_wrong_hash(self):
+    def test_verify_email_wrong_nonce(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        self.verify_email(participant.username,'sample-hash')
+        self.verify_email(participant.username, 'sample-nonce')
         expected = False
         actual = Participant.from_username(participant.username).email.confirmed
         assert expected == actual
@@ -45,8 +45,8 @@ def test_verify_email_wrong_hash(self):
     def test_verify_email(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        hash_string = Participant.from_username(participant.username).email.hash
-        self.verify_email(participant.username,hash_string)
+        nonce = Participant.from_username(participant.username).email.nonce
+        self.verify_email(participant.username, nonce)
         expected = True
         actual = Participant.from_username(participant.username).email.confirmed
         assert expected == actual
@@ -54,8 +54,8 @@ def test_verify_email(self):
     def test_email_is_not_confirmed_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        hash_string = Participant.from_username(participant.username).email.hash
-        self.verify_email(participant.username,hash_string)
+        nonce = Participant.from_username(participant.username).email.nonce
+        self.verify_email(participant.username, nonce)
         self.change_email_address('alice@yahoo.com', participant.username)
         expected = False
         actual = Participant.from_username(participant.username).email.confirmed
@@ -64,19 +64,19 @@ def test_email_is_not_confirmed_after_update(self):
     def test_verify_email_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        hash_string = Participant.from_username(participant.username).email.hash
-        self.verify_email(participant.username,hash_string)
+        nonce = Participant.from_username(participant.username).email.nonce
+        self.verify_email(participant.username, nonce)
         self.change_email_address('alice@yahoo.com', participant.username)
-        hash_string = Participant.from_username(participant.username).email.hash
-        self.verify_email(participant.username,hash_string)
+        nonce = Participant.from_username(participant.username).email.nonce
+        self.verify_email(participant.username, nonce)
         expected = True
         actual = Participant.from_username(participant.username).email.confirmed
         assert expected == actual
 
-    def test_hash_is_regenerated_on_update(self):
+    def test_nonce_is_regenerated_on_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        hash_string_1 = Participant.from_username(participant.username).email.hash
+        nonce1 = Participant.from_username(participant.username).email.nonce
         self.change_email_address('alice@gmail.com', participant.username)
-        hash_string_2 = Participant.from_username(participant.username).email.hash
-        assert hash_string_1 != hash_string_2
\ No newline at end of file
+        nonce2 = Participant.from_username(participant.username).email.nonce
+        assert nonce1 != nonce2
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 9340d19416..3befc16b37 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -9,12 +9,12 @@ from datetime import timedelta
 
 participant = get_participant(request, restrict=False)
 qs = request.line.uri.querystring
-hash_string = qs['hash'] if 'hash' in qs else ''
+nonce = qs.get('nonce', '')
 
 if not participant.email:
     raise Response(404)
 
-result = participant.verify_email(hash_string)
+result = participant.verify_email(nonce)
 
 [-----------------------------------------------------------------------------]
 {% extends "templates/base.html" %}

From e7cec731f59d87215b248b6351c3797104246a16 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 3 Oct 2014 17:04:44 +0200
Subject: [PATCH 022/107] simplify a couple of test helpers (DRY)

---
 tests/py/test_verify_email_html.py | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
index e5f3fdd14d..9576b6683e 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email_html.py
@@ -7,27 +7,14 @@
 class TestForVerifyEmail(Harness):
 
     @mock.patch.object(Participant, 'send_email')
-    def change_email_address(self, address, username, send_email, should_fail=False):
+    def change_email_address(self, address, username, send_email):
         url = "/%s/email.json" % username
-        if should_fail:
-            response = self.client.PxST(url
-                , {'email': address,}
-                , auth_as=username
-            )
-        else:
-            response = self.client.POST(url
-                , {'email': address,}
-                , auth_as=username
-            )
-        return response
+        return self.client.POST(url, {'email': address}, auth_as=username)
 
     def verify_email(self, username, nonce, should_fail=False):
         url = '/%s/verify-email.html?nonce=%s' % (username , nonce)
-        if should_fail:
-            response = self.client.GxT(url)
-        else:
-            response = self.client.GET(url)
-        return response
+        G = self.client.GxT if should_fail else self.client.GET
+        return G(url)
 
     def test_verify_email_without_adding_email(self):
         participant = self.make_participant('alice')

From ee8af15ca4996da2d51f72ba41c125f19f8857f8 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 15:47:36 -0400
Subject: [PATCH 023/107] Spruce up the design of the verification email

---
 gratipay/models/participant.py | 12 +++++++----
 gratipay/utils/emails.py       | 37 +++++++++++++++++++++++++++-------
 2 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 8328de94e1..a33908203c 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -568,7 +568,11 @@ def update_email(self, email, confirmed=False):
                       )
             self.set_attributes(email=r)
         if not confirmed:
-            self.send_email(VERIFICATION_EMAIL, link=self.get_verification_link())
+            self.send_email( VERIFICATION_EMAIL
+                           , link=self.get_verification_link()
+                           , email=email
+                           , username=self.username
+                            )
         return r
 
     def verify_email(self, nonce):
@@ -595,9 +599,9 @@ def get_verification_link(self):
 
     def send_email(self, message, **params):
         message['from_email'] = 'support@gratipay.com'
-        message['from_name'] = 'Gratipay'
-        message['to'] = [{'email': self.email.address,
-                          'name': self.username}]
+        message['from_name'] = 'Gratipay Support'
+        message['to'] = [{'email': self.email.address, 'name': self.username}]
+        message['subject'] = message['subject'].format(**params)
         message['html'] = message['html'].format(**params)
         message['text'] = message['text'].format(**params)
         return self.mailer.messages.send(message=message)
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index ac42ed8a67..41b1aea501 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -2,15 +2,38 @@
 
 
 VERIFICATION_EMAIL = dict(
-    subject="Welcome to Gratipay!",
-    html="""
-Welcome to Gratipay!
-<br><br>
-<a href="{link}">Verify your email address</a>.
+    subject="Connect to {username} on Gratipay?",
+    html="""\
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif;">
+    <img src="http://gratipay.com/assets/-/gratipay.png">
+
+    <br><br>
+
+    We've received a request to connect <b>{email}</b>
+
+    <br>
+
+    to the <b><a href="https://gratipay.com/{username}">{username}</a></b>
+    account on Gratipay. Sound familiar?
+
+    <br><br>
+
+    <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
+
+    <br><br>
+
+    <div style="color: #ccc;">Something not right? Reply to this email for help.</div>
+
+</div>
 """,
-    text="""
-Welcome to Gratipay! Verify your email address:
+    text="""\
+We've received a request to connect {email} to the
+{username} account on Gratipay. Sound familiar? Follow this
+link to finish making the connection:
 
 {link}
+
+Something not right? Reply to this email for help.
+
 """,
 )

From a07f0279e1e8e8013603511a0d4aace1a815e3d4 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 16:18:05 -0400
Subject: [PATCH 024/107] Switch to CDN image

---
 gratipay/utils/emails.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 41b1aea501..c5237aeb49 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -4,10 +4,11 @@
 VERIFICATION_EMAIL = dict(
     subject="Connect to {username} on Gratipay?",
     html="""\
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif;">
-    <img src="http://gratipay.com/assets/-/gratipay.png">
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
 
-    <br><br>
+    <div style="padding: 40px 0 20px; margin: 0;">
+        <img src="https://downloads.gratipay.com/email/gratipay.png">
+    </div>
 
     We've received a request to connect <b>{email}</b>
 
@@ -22,7 +23,7 @@
 
     <br><br>
 
-    <div style="color: #ccc;">Something not right? Reply to this email for help.</div>
+    <div style="color: #999;">Something not right? Reply to this email for help.</div>
 
 </div>
 """,

From 81710ebaeaf455595f77ee6d12a26a18639ec234 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 16:48:07 -0400
Subject: [PATCH 025/107] Add footer to emails with our address

---
 gratipay/models/participant.py | 12 +++++++-----
 gratipay/utils/emails.py       | 19 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index a33908203c..341dd20345 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -39,8 +39,7 @@
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.security.crypto import constant_time_compare
 from gratipay.utils.username import safely_reserve_a_username
-from gratipay.utils import is_card_expiring
-from gratipay.utils.emails import VERIFICATION_EMAIL
+from gratipay.utils import emails, is_card_expiring
 
 
 ASCII_ALLOWED_IN_USERNAME = set("0123456789"
@@ -568,10 +567,11 @@ def update_email(self, email, confirmed=False):
                       )
             self.set_attributes(email=r)
         if not confirmed:
-            self.send_email( VERIFICATION_EMAIL
+            self.send_email( emails.VERIFICATION_EMAIL
                            , link=self.get_verification_link()
                            , email=email
                            , username=self.username
+                           , include_unsubscribe=False
                             )
         return r
 
@@ -598,12 +598,14 @@ def get_verification_link(self):
         return link.format(**locals())
 
     def send_email(self, message, **params):
+        include_unsubscribe = params.pop('include_unsubscribe', True)
+        footer = emails.FOOTER if include_unsubscribe else emails.FOOTER_NO_UNSUBSCRIBE
         message['from_email'] = 'support@gratipay.com'
         message['from_name'] = 'Gratipay Support'
         message['to'] = [{'email': self.email.address, 'name': self.username}]
         message['subject'] = message['subject'].format(**params)
-        message['html'] = message['html'].format(**params)
-        message['text'] = message['text'].format(**params)
+        message['html'] = message['html'].format(**params) + footer['html']
+        message['text'] = message['text'].format(**params) + footer['text']
         return self.mailer.messages.send(message=message)
 
     def update_goal(self, goal):
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index c5237aeb49..c370f205d5 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -1,12 +1,29 @@
 from __future__ import unicode_literals
 
 
+FOOTER_NO_UNSUBSCRIBE = dict(
+    html = """\
+<div style="text-align: center; color: #999; font: normal 10px/21px Arial, sans-serif;">
+    Sent by <a href="https://gratipay.com/" style="color: #999; text-decoration: underline;">Gratipay, LLC</a> | 716 Park Road, Ambridge, PA, 15003, USA
+</div>
+    """,
+    text = """\
+----
+
+Sent by Gratipay, LLC, https://gratipay.com/
+716 Park Road, Ambridge, PA, 15003, USA
+""",
+)
+
+FOOTER = FOOTER_NO_UNSUBSCRIBE  # XXX Need to implement unsubscribe!
+
+
 VERIFICATION_EMAIL = dict(
     subject="Connect to {username} on Gratipay?",
     html="""\
 <div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
 
-    <div style="padding: 40px 0 20px; margin: 0;">
+    <div style="padding: 20px 0; margin: 0;">
         <img src="https://downloads.gratipay.com/email/gratipay.png">
     </div>
 

From 69bef238240926d93b6d593192b86f64b24a1f4c Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 16:58:51 -0400
Subject: [PATCH 026/107] Factor header out of email as well

---
 gratipay/models/participant.py |  7 +++++--
 gratipay/utils/emails.py       | 37 +++++++++++++++++++++++++---------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 341dd20345..10456e033f 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -598,14 +598,17 @@ def get_verification_link(self):
         return link.format(**locals())
 
     def send_email(self, message, **params):
+        header = emails.HEADER
         include_unsubscribe = params.pop('include_unsubscribe', True)
         footer = emails.FOOTER if include_unsubscribe else emails.FOOTER_NO_UNSUBSCRIBE
+
         message['from_email'] = 'support@gratipay.com'
         message['from_name'] = 'Gratipay Support'
         message['to'] = [{'email': self.email.address, 'name': self.username}]
         message['subject'] = message['subject'].format(**params)
-        message['html'] = message['html'].format(**params) + footer['html']
-        message['text'] = message['text'].format(**params) + footer['text']
+        message['html'] = header['html'] + message['html'].format(**params) + footer['html']
+        message['text'] = header['text'] + message['text'].format(**params) + footer['text']
+
         return self.mailer.messages.send(message=message)
 
     def update_goal(self, goal):
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index c370f205d5..1ee9c5f80e 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -1,6 +1,24 @@
 from __future__ import unicode_literals
 
 
+# Header
+# ======
+
+HEADER = dict(
+    html="""\
+<div style="text-align: center; padding: 20px 0; margin: 0;">
+    <img src="https://downloads.gratipay.com/email/gratipay.png">
+</div>
+""",
+    text="""\
+Greetings, program!
+""",
+)
+
+
+# Footer
+# ======
+
 FOOTER_NO_UNSUBSCRIBE = dict(
     html = """\
 <div style="text-align: center; color: #999; font: normal 10px/21px Arial, sans-serif;">
@@ -8,6 +26,8 @@
 </div>
     """,
     text = """\
+Something not right? Reply to this email for help.
+
 ----
 
 Sent by Gratipay, LLC, https://gratipay.com/
@@ -18,15 +38,13 @@
 FOOTER = FOOTER_NO_UNSUBSCRIBE  # XXX Need to implement unsubscribe!
 
 
+# Verification
+# ============
+
 VERIFICATION_EMAIL = dict(
     subject="Connect to {username} on Gratipay?",
     html="""\
 <div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-
-    <div style="padding: 20px 0; margin: 0;">
-        <img src="https://downloads.gratipay.com/email/gratipay.png">
-    </div>
-
     We've received a request to connect <b>{email}</b>
 
     <br>
@@ -45,13 +63,12 @@
 </div>
 """,
     text="""\
-We've received a request to connect {email} to the
-{username} account on Gratipay. Sound familiar? Follow this
-link to finish making the connection:
 
-{link}
+We've received a request to connect {email} to the {username}
+account on Gratipay. Sound familiar? Follow this link to finish
+connecting your email:
 
-Something not right? Reply to this email for help.
+{link}
 
 """,
 )

From 92887495228a6462f3dd8f354100adc30c4c1ec9 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 17:00:34 -0400
Subject: [PATCH 027/107] Add alt text to header image

Hopefully helps when images are disabled.
---
 gratipay/utils/emails.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 1ee9c5f80e..7b7ee4e5b4 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -7,7 +7,7 @@
 HEADER = dict(
     html="""\
 <div style="text-align: center; padding: 20px 0; margin: 0;">
-    <img src="https://downloads.gratipay.com/email/gratipay.png">
+    <img src="https://downloads.gratipay.com/email/gratipay.png" alt="Gratipay">
 </div>
 """,
     text="""\

From 3af999fc3bf7a021a6643be43b5f199f5b38c57c Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 17:10:34 -0400
Subject: [PATCH 028/107] Fix bug where we were mutating underlying message

---
 gratipay/models/participant.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 10456e033f..6a6ceeeecf 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -602,6 +602,7 @@ def send_email(self, message, **params):
         include_unsubscribe = params.pop('include_unsubscribe', True)
         footer = emails.FOOTER if include_unsubscribe else emails.FOOTER_NO_UNSUBSCRIBE
 
+        message = message.copy()
         message['from_email'] = 'support@gratipay.com'
         message['from_name'] = 'Gratipay Support'
         message['to'] = [{'email': self.email.address, 'name': self.username}]

From 50fa80e519101cb59ec7fb8c7a24b5fdeae0ae93 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 17:10:51 -0400
Subject: [PATCH 029/107] Move Something wrong? to footer

---
 gratipay/utils/emails.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 7b7ee4e5b4..56e9437308 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -21,8 +21,14 @@
 
 FOOTER_NO_UNSUBSCRIBE = dict(
     html = """\
-<div style="text-align: center; color: #999; font: normal 10px/21px Arial, sans-serif;">
-    Sent by <a href="https://gratipay.com/" style="color: #999; text-decoration: underline;">Gratipay, LLC</a> | 716 Park Road, Ambridge, PA, 15003, USA
+
+<div style="text-align: center; color: #999; padding: 21px 0 0;">
+    <div style="font: normal 14px/21px Arial, sans-serif;">
+        Something not right? Reply to this email for help.
+    </div>
+    <div style="font: normal 10px/21px Arial, sans-serif;">
+        Sent by <a href="https://gratipay.com/" style="color: #999; text-decoration: underline;">Gratipay, LLC</a> | 716 Park Road, Ambridge, PA, 15003, USA
+    </div>
 </div>
     """,
     text = """\
@@ -56,10 +62,6 @@
 
     <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
 
-    <br><br>
-
-    <div style="color: #999;">Something not right? Reply to this email for help.</div>
-
 </div>
 """,
     text="""\

From 1c6aad2ec46ed9f2b3662bc956f50c2a44187175 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 17:44:28 -0400
Subject: [PATCH 030/107] Homepage is unhelpful atm; route to profile

---
 www/%username/verify-email.html.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 3befc16b37..846d59486c 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -36,7 +36,7 @@ result = participant.verify_email(nonce)
     {% elif result == 2 %}
         <h1>{{ _("Failed to verify your email address") }}</h1>
     {% endif %}
-    <a href="/">{{ _("Go to homepage") }}</a>
+    <a href="/{{ participant.username }}/">{{ _("Go to your profile") }}.</a>
     </div>
 {% endblock %}
 

From 195088e9eae3b3744c41bcd009490038e5a3a93f Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 6 Oct 2014 17:44:45 -0400
Subject: [PATCH 031/107] Improve success message for email verification

---
 www/%username/verify-email.html.spt | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 846d59486c..072bd1d1f6 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -30,7 +30,11 @@ result = participant.verify_email(nonce)
 {% block box %}
     <div class="as-content">
     {% if result == 0 %}
-        <h1>{{ _("Your email address has been verified.") }}</h1>
+        <h1>{{ _("Success!") }}</h1>
+
+        <p>Your email address <b>{{ participant.email.address }}</b> is now
+        connected to your Gratipay account.</p>
+
     {% elif result == 1  %}
         <h1>{{ _("Your verification email has expired.") }}</h1>
     {% elif result == 2 %}

From 99b65e4f6cebaf83368f6608ac6c8cd3172103bb Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Tue, 21 Oct 2014 17:11:01 +0530
Subject: [PATCH 032/107] Changing to emails table

---
 branch.sql                           |  24 +++++-
 gratipay/models/participant.py       | 115 ++++++++++++++++++++-------
 www/%username/account/index.html.spt |  20 +++--
 www/%username/email.json.spt         |   2 +-
 www/%username/verify-email.html.spt  |   5 +-
 5 files changed, 126 insertions(+), 40 deletions(-)

diff --git a/branch.sql b/branch.sql
index 3a421407e0..194670c35d 100644
--- a/branch.sql
+++ b/branch.sql
@@ -1,4 +1,24 @@
 BEGIN;
-    ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE nonce text;
-    ALTER TYPE email_address_with_confirmation ADD ATTRIBUTE ctime timestamp with time zone;
+    -- TODO: Migrate the existing emails - there are 766 users with emails attached.
+    --       This is to be done before we can delete the existing emails and email types.
+
+    CREATE TABLE emails
+    ( id                                serial                      PRIMARY KEY
+    , address                           text                        NOT NULL
+    , confirmed                         boolean                     DEFAULT NULL
+    , nonce                             text
+    , ctime                             timestamp with time zone    NOT NULL DEFAULT CURRENT_TIMESTAMP
+    , mtime                             timestamp with time zone
+    , participant                       text                        NOT NULL REFERENCES participants
+    , UNIQUE (address, confirmed) -- One verified email address per person.
+     );
+
+    -- The participants table currently has an `email` attribute of type email_address_with confirmation
+    -- This should be deleted in the future, once the emails are migrated.
+    -- The column we're going to replace it with is named `email_address`. This is only for **verified** emails.
+    -- All unverified email stuff happens in the emails table and won't touch this attribute.
+
+    ALTER TABLE participants ADD COLUMN email_address text;
+
+    -- TODO: Add a trigger function to update the email attribute on the user model?.
 END;
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 6a6ceeeecf..7da80ba6d5 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -551,61 +551,120 @@ def update_avatar(self):
         self.set_attributes(avatar_url=avatar_url)
 
     def update_email(self, email, confirmed=False):
-        current_email = getattr(self.email, 'address', '')
-        was_confirmed = getattr(self.email, 'confirmed', False)
-        if email == current_email and was_confirmed:
-            return self.email
-        if not confirmed:
+        """
+            Update the email address of a participant.
+
+            This could be called when
+            1) Adding a new email address
+            2) Resending the verification email for an unverified email address
+            3) Confirming an email address
+
+            In case 3, we UPDATE rows. In case 1 and 2, we're just INSERTing.
+
+            We return a value only if we've sent a verification email.
+        """
+        current_email = self.email_address
+
+        # If the email is already confirmed we have nothing to do.
+        if email == current_email:
+            return None
+
+        if confirmed:
+            with self.db.get_cursor() as c:
+                # TODO: Invalidate all other emails
+
+                r = c.run("""
+                    UPDATE emails
+                       SET confirmed = true, mtime = %s
+                     WHERE address = %s
+                 RETURNING address
+                """, (utcnow(), email))
+
+                # TODO: What happens another user has verified this email already?
+                #       Either do something here, or below.
+
+                # This could be done by a trigger function.
+                c.run("""
+                    UPDATE participants
+                       SET email_address = %s
+                     WHERE username = %s
+                """, (email, self.username))
+
+                self.set_attributes(email_address = r)
+            return None
+        else:
+            # TODO - check whether someone has verified this already?
             nonce = str(uuid.uuid4())
             ctime = utcnow()
-        else:
-            nonce = ctime = None
-        with self.db.get_cursor() as c:
-            add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
-            r = c.one("UPDATE participants SET email = ROW(%s, %s, %s, %s) WHERE username=%s RETURNING email"
-                     , (email, confirmed, nonce, ctime, self.username)
-                      )
-            self.set_attributes(email=r)
-        if not confirmed:
+            with self.db.get_cursor() as c:
+                add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
+                c.run("""
+                    INSERT INTO emails
+                                (address, nonce, ctime, participant)
+                         VALUES (%s, %s, %s, %s)
+                """, (email, nonce, ctime, self.username))
+
             self.send_email( emails.VERIFICATION_EMAIL
-                           , link=self.get_verification_link()
                            , email=email
+                           , link=self.get_verification_link(email)
                            , username=self.username
                            , include_unsubscribe=False
                             )
-        return r
+            return email
 
-    def verify_email(self, nonce):
-        if getattr(self.email, 'confirmed', False):
+    def verify_email(self, email, nonce):
+        if self.email_address and email == self.email_address:
             return 0 # Verified
-        expected_nonce = getattr(self.email, 'nonce', '')
-        email_ctime = getattr(self.email, 'ctime', '')
+
+        expected_nonce, ctime = self.get_email_nonce_and_ctime(email)
         if constant_time_compare(expected_nonce, nonce):
-            if (utcnow() - email_ctime) < EMAIL_HASH_TIMEOUT:
-                self.update_email(self.email.address, True)
+            if (utcnow() - ctime) < EMAIL_HASH_TIMEOUT:
+                self.update_email(email, True)
                 return 0 # Verified
             else:
                 return 1 # Expired
         else:
             return 2 # Failed
 
-    def get_verification_link(self):
+    def get_verification_link(self, email):
         scheme = gratipay.canonical_scheme
         host = gratipay.canonical_host
-        nonce = self.email.nonce
+        nonce = self.get_email_nonce_and_ctime(email)[0]
         username = self.username_lower
-        link = "{scheme}://{host}/{username}/verify-email.html?nonce={nonce}"
+        link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
         return link.format(**locals())
 
-    def send_email(self, message, **params):
+    def get_email_nonce_and_ctime(self, email):
+        rec = self.db.one("""
+            SELECT nonce, ctime
+              FROM emails
+             WHERE participant = %s
+               AND address = %s
+          ORDER BY ctime DESC
+             LIMIT 1
+        """, (self.username, email))
+        return rec.nonce, rec.ctime
+
+    def get_unverified_email(self):
+        return self.db.one("""
+            SELECT address
+              FROM emails
+             WHERE participant = %s
+          ORDER BY ctime DESC
+             LIMIT 1
+        """, (self.username,))
+
+    def send_email(self, message, email=None, **params):
         header = emails.HEADER
         include_unsubscribe = params.pop('include_unsubscribe', True)
         footer = emails.FOOTER if include_unsubscribe else emails.FOOTER_NO_UNSUBSCRIBE
-
+        if not email:
+            email = self.email_address
+        params['email'] = email
         message = message.copy()
         message['from_email'] = 'support@gratipay.com'
         message['from_name'] = 'Gratipay Support'
-        message['to'] = [{'email': self.email.address, 'name': self.username}]
+        message['to'] = [{'email': email, 'name': self.username}]
         message['subject'] = message['subject'].format(**params)
         message['html'] = header['html'] + message['html'].format(**params) + footer['html']
         message['text'] = header['text'] + message['text'].format(**params) + footer['text']
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 7fa51e9289..ec6cd9a2dc 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -154,14 +154,16 @@ locked = False
                     <div class="account-type">{{ _("Email Address (Private)") }}</div>
                     <div class="email">
                         <a class="address email-address" href="javascript:;">
-                            {% if participant.email %}
-                                {{ participant.email.address }}
+                            {% if participant.email_address %}
+                                {{ participant.email_address }}
+                            {% elif participant.get_unverified_email() %}
+                                {{ participant.get_unverified_email() }}
                             {% endif %}
                         </a>
-                        {% if participant.email and not participant.email.confirmed %}
-                            <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
-                        {% elif participant.email %}
+                        {% if participant.email_address %}
                             <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>
+                        {% elif participant.get_unverified_email() %}
+                            <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
                         {% endif %}
                     </div>
 
@@ -177,7 +179,7 @@ locked = False
                             <button type="submit" class="email hidden">Save</button>
                             <button type="cancel" class="email cancel hidden">Cancel</button>
                         </div>
-                        {% if participant.email and not participant.email.confirmed %}
+                        {% if not participant.email_address and participant.get_unverified_email() %}
                             <div class="buttons">
                                 <button type="resend" class="email">Resend Email</button>
                             </div>
@@ -186,7 +188,11 @@ locked = False
                 </td>
                 <td class="account-action">
                     <button class="toggle-email">
-                        {{ _("Edit") if participant.email else _("+ Add") }}
+                        {% if participant.email_address or participant.get_unverified_email() %}
+                            {{ _("Edit") }}
+                        {% else %}
+                            {{ _("+ Add") }}
+                        {% endif %}
                     </button>
                 </td>
             </tr>
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 74cb04793f..c2c7dca3ef 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -24,4 +24,4 @@ if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
 email = user.participant.update_email(address)
 
 [---] application/json via json_dump
-{'email': email.address, 'confirmed': email.confirmed}
+{'email': email}
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 072bd1d1f6..ef1a1865bd 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -10,11 +10,12 @@ from datetime import timedelta
 participant = get_participant(request, restrict=False)
 qs = request.line.uri.querystring
 nonce = qs.get('nonce', '')
+email = qs.get('email', '')
 
 if not participant.email:
     raise Response(404)
 
-result = participant.verify_email(nonce)
+result = participant.verify_email(email, nonce)
 
 [-----------------------------------------------------------------------------]
 {% extends "templates/base.html" %}
@@ -32,7 +33,7 @@ result = participant.verify_email(nonce)
     {% if result == 0 %}
         <h1>{{ _("Success!") }}</h1>
 
-        <p>Your email address <b>{{ participant.email.address }}</b> is now
+        <p>Your email address <b>{{ participant.email_address }}</b> is now
         connected to your Gratipay account.</p>
 
     {% elif result == 1  %}

From bd93c022bc64c817622208938a74470705e039c4 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 00:19:10 +0530
Subject: [PATCH 033/107] Fix tests

---
 gratipay/models/participant.py      |  5 ++-
 tests/py/test_close.py              |  5 +--
 tests/py/test_participant.py        | 37 +++++++++++--------
 tests/py/test_verify_email_html.py  | 57 +++++++++++++++++------------
 www/%username/verify-email.html.spt |  2 +-
 5 files changed, 61 insertions(+), 45 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 7da80ba6d5..156d1b78d7 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -430,7 +430,7 @@ def clear_personal_information(self, cursor):
                  , anonymous_receiving=False
                  , number='singular'
                  , avatar_url=NULL
-                 , email=NULL
+                 , email_address=NULL
                  , claimed_time=NULL
                  , session_token=NULL
                  , session_expires=now()
@@ -615,7 +615,8 @@ def update_email(self, email, confirmed=False):
     def verify_email(self, email, nonce):
         if self.email_address and email == self.email_address:
             return 0 # Verified
-
+        if self.get_unverified_email() != email:
+            return 2
         expected_nonce, ctime = self.get_email_nonce_and_ctime(email)
         if constant_time_compare(expected_nonce, nonce):
             if (utcnow() - ctime) < EMAIL_HASH_TIMEOUT:
diff --git a/tests/py/test_close.py b/tests/py/test_close.py
index 9877aa44d5..b3a80bfc6f 100644
--- a/tests/py/test_close.py
+++ b/tests/py/test_close.py
@@ -10,7 +10,6 @@
 from gratipay.models.community import Community
 from gratipay.models.participant import Participant
 from gratipay.testing import Harness
-from aspen.utils import utcnow
 
 
 class TestClosing(Harness):
@@ -283,7 +282,7 @@ def test_cpi_clears_personal_information(self):
                                      , anonymous_receiving=True
                                      , number='plural'
                                      , avatar_url='img-url'
-                                     , email=('alice@example.com', True, 'samplenonce', utcnow())
+                                     , email_address='alice@example.com'
                                      , claimed_time='now'
                                      , session_token='deadbeef'
                                      , session_expires='2000-01-01'
@@ -304,7 +303,7 @@ def test_cpi_clears_personal_information(self):
         assert (alice.anonymous_receiving, new_alice.anonymous_giving) == (False, False)
         assert alice.number == new_alice.number == 'singular'
         assert alice.avatar_url == new_alice.avatar_url == None
-        assert alice.email == new_alice.email == None
+        assert alice.email_address == new_alice.email_address == None
         assert alice.claimed_time == new_alice.claimed_time == None
         assert alice.giving == new_alice.giving == 0
         assert alice.pledging == new_alice.pledging == 0
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index b887a9b684..bdb524f533 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -227,41 +227,46 @@ def test_john_is_plural(self):
     def test_can_update_email(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         expected = 'alice@gratipay.com'
-        actual = self.alice.email.address
+        actual = self.alice.get_unverified_email()
         assert actual == expected
 
     @mock.patch.object(Participant, 'send_email')
     def test_can_verify_email(self, send_email):
         self.alice.update_email('alice@gratipay.com')
-        nonce = Participant.from_username('alice').email.nonce
-        r = self.alice.verify_email(nonce)
+        email = Participant.from_username('alice').get_unverified_email()
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime(email)[0]
+        r = self.alice.verify_email(email, nonce)
         assert r == 0
-        actual = Participant.from_username('alice').email.confirmed
-        assert actual == True
+        actual = Participant.from_username('alice').email_address
+        expected = 'alice@gratipay.com'
+        assert actual == expected
 
     @mock.patch.object(Participant, 'send_email')
     def test_cannot_verify_email_with_wrong_nonce(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         nonce = "some wrong nonce"
-        r = self.alice.verify_email(nonce)
+        r = self.alice.verify_email("alice@gratipay.com", nonce)
         assert r == 2
-        actual = Participant.from_username('alice').email.confirmed
-        assert actual == False
+        actual = Participant.from_username('alice').email_address
+        assert actual == None
 
     @mock.patch.object(Participant, 'send_email')
     def test_cannot_verify_email_with_expired_nonce(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         email = self.db.one("""
-            UPDATE participants
-               SET email.ctime = (now() - INTERVAL '25 hours')
-             WHERE username = 'alice'
-         RETURNING email
+            UPDATE emails
+               SET ctime = (now() - INTERVAL '25 hours')
+             WHERE participant = 'alice'
+         RETURNING address
         """)
-        self.alice.set_attributes(email=email)
-        r = self.alice.verify_email(self.alice.email.nonce)
+        nonce = self.alice.get_email_nonce_and_ctime(email)[0]
+        r = self.alice.verify_email("alice@gratipay.com", nonce)
         assert r == 1
-        actual = Participant.from_username('alice').email.confirmed
-        assert actual == False
+        actual = Participant.from_username('alice').email_address
+        assert actual == None
+        actual = Participant.from_username('alice').get_unverified_email()
+        expected = 'alice@gratipay.com'
+        assert actual == expected
 
     def test_cant_take_over_claimed_participant_without_confirmation(self):
         with self.assertRaises(NeedConfirmation):
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
index 9576b6683e..f63b322c69 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email_html.py
@@ -11,59 +11,70 @@ def change_email_address(self, address, username, send_email):
         url = "/%s/email.json" % username
         return self.client.POST(url, {'email': address}, auth_as=username)
 
-    def verify_email(self, username, nonce, should_fail=False):
-        url = '/%s/verify-email.html?nonce=%s' % (username , nonce)
+    def verify_email(self, username, email, nonce, should_fail=False):
+        url = '/%s/verify-email.html?email=%s&nonce=%s' % (username, email, nonce)
         G = self.client.GxT if should_fail else self.client.GET
         return G(url)
 
     def test_verify_email_without_adding_email(self):
         participant = self.make_participant('alice')
-        response = self.verify_email(participant.username, 'sample-nonce', should_fail=True)
+        response = self.verify_email(participant.username, '', 'sample-nonce', should_fail=True)
         assert response.code == 404
 
     def test_verify_email_wrong_nonce(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        self.verify_email(participant.username, 'sample-nonce')
-        expected = False
-        actual = Participant.from_username(participant.username).email.confirmed
+        self.verify_email(participant.username, 'alice@gmail.com', 'sample-nonce')
+        expected = None
+        actual = Participant.from_username(participant.username).email_address
         assert expected == actual
 
     def test_verify_email(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username(participant.username).email.nonce
-        self.verify_email(participant.username, nonce)
-        expected = True
-        actual = Participant.from_username(participant.username).email.confirmed
+        nonce = Participant.from_username(participant.username)
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
+        self.verify_email(participant.username, 'alice@gmail.com', nonce)
+        expected = 'alice@gmail.com'
+        actual = Participant.from_username(participant.username).email_address
         assert expected == actual
 
-    def test_email_is_not_confirmed_after_update(self):
+    def test_confirmed_email_is_not_changed_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username(participant.username).email.nonce
-        self.verify_email(participant.username, nonce)
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
+        self.verify_email(participant.username, 'alice@gmail.com', nonce)
         self.change_email_address('alice@yahoo.com', participant.username)
-        expected = False
-        actual = Participant.from_username(participant.username).email.confirmed
+        expected = 'alice@gmail.com'
+        actual = Participant.from_username(participant.username).email_address
+        assert expected == actual
+
+    def test_unverified_email_is_set_changed_after_update(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
+        self.verify_email(participant.username, 'alice@gmail.com', nonce)
+        self.change_email_address('alice@yahoo.com', participant.username)
+        expected = 'alice@yahoo.com'
+        actual = Participant.from_username(participant.username).get_unverified_email()
         assert expected == actual
 
     def test_verify_email_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username(participant.username).email.nonce
-        self.verify_email(participant.username, nonce)
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
+        self.verify_email(participant.username, 'alice@gmail.com', nonce)
         self.change_email_address('alice@yahoo.com', participant.username)
-        nonce = Participant.from_username(participant.username).email.nonce
-        self.verify_email(participant.username, nonce)
-        expected = True
-        actual = Participant.from_username(participant.username).email.confirmed
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@yahoo.com')[0]
+        self.verify_email(participant.username, 'alice@yahoo.com', nonce)
+        expected = 'alice@yahoo.com'
+        actual = Participant.from_username(participant.username).email_address
         assert expected == actual
 
     def test_nonce_is_regenerated_on_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
-        nonce1 = Participant.from_username(participant.username).email.nonce
+        nonce1 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
         self.change_email_address('alice@gmail.com', participant.username)
-        nonce2 = Participant.from_username(participant.username).email.nonce
+        nonce2 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
         assert nonce1 != nonce2
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index ef1a1865bd..d499179b5f 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -12,7 +12,7 @@ qs = request.line.uri.querystring
 nonce = qs.get('nonce', '')
 email = qs.get('email', '')
 
-if not participant.email:
+if not participant.get_unverified_email():
     raise Response(404)
 
 result = participant.verify_email(email, nonce)

From a34edaa24ab0688f69075bdb885ccfc8a6a28886 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 10:28:34 +0530
Subject: [PATCH 034/107] Failing test for adding already verified emails

---
 tests/py/test_participant.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index bdb524f533..f4b26aa496 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -230,6 +230,15 @@ def test_can_update_email(self, send_email):
         actual = self.alice.get_unverified_email()
         assert actual == expected
 
+    @mock.patch.object(Participant, 'send_email')
+    def test_cannot_update_email_to_already_verified(self, send_email):
+        self.alice.update_email('alice@gratipay.com')
+        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gratipay.com')[0]
+        self.alice.verify_email('alice@gratipay.com', nonce)
+        self.bob.update_email('alice@gratipay.com')
+        assert self.alice.email_address == 'alice@gratipay.com'
+        assert self.bob.get_unverified_email() == None
+
     @mock.patch.object(Participant, 'send_email')
     def test_can_verify_email(self, send_email):
         self.alice.update_email('alice@gratipay.com')

From e4e4276267d734559e9d9604ee971801f4cc9b1e Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 10:54:04 +0530
Subject: [PATCH 035/107] Added EmailAlreadyTaken exception

---
 Makefile                       |  4 ++--
 gratipay/exceptions.py         |  8 ++++++++
 gratipay/models/participant.py | 11 ++++++++++-
 tests/py/test_participant.py   |  4 +++-
 www/%username/email.json.spt   |  7 +++++--
 5 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 5f42b162b5..7cb7bb9ef1 100644
--- a/Makefile
+++ b/Makefile
@@ -47,10 +47,10 @@ test-schema: env
 pyflakes: env
 	$(env_bin)/pyflakes bin gratipay tests
 
-test: test-schema pytest jstest
+test: test-schema pytest
 
 pytest: env
-	$(py_test) --cov gratipay ./tests/py/
+	$(py_test) --cov gratipay ./tests/py/test_participant.py
 	@$(MAKE) --no-print-directory pyflakes
 
 retest: env
diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
index 9695ad9ef4..1a2ba61275 100644
--- a/gratipay/exceptions.py
+++ b/gratipay/exceptions.py
@@ -25,6 +25,14 @@ class UsernameAlreadyTaken(ProblemChangingUsername):
     msg = "The username '{}' is already taken."
 
 
+class ProblemChangingEmail(Exception):
+    def __str__(self):
+        return self.msg.format(self.args[0])
+
+class EmailAlreadyTaken(ProblemChangingEmail):
+    msg = "An account with the email '{}' already exists"
+
+
 class ProblemChangingNumber(Exception):
     def __str__(self):
         return self.msg
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 156d1b78d7..a17599cde5 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -32,6 +32,7 @@
     NoTippee,
     BadAmount,
     UserDoesntAcceptTips,
+    EmailAlreadyTaken
 )
 
 from gratipay.models import add_event
@@ -573,7 +574,7 @@ def update_email(self, email, confirmed=False):
             with self.db.get_cursor() as c:
                 # TODO: Invalidate all other emails
 
-                r = c.run("""
+                r = c.one("""
                     UPDATE emails
                        SET confirmed = true, mtime = %s
                      WHERE address = %s
@@ -594,6 +595,14 @@ def update_email(self, email, confirmed=False):
             return None
         else:
             # TODO - check whether someone has verified this already?
+            exists = self.db.one("""
+                SELECT COUNT(*)
+                  FROM participants
+                 WHERE email_address=%s
+            """, (email,))
+            if exists:
+                raise EmailAlreadyTaken(email)
+                return None
             nonce = str(uuid.uuid4())
             ctime = utcnow()
             with self.db.get_cursor() as c:
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index f4b26aa496..8b27e610c4 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -19,6 +19,7 @@
     NoSelfTipping,
     NoTippee,
     BadAmount,
+    EmailAlreadyTaken
 )
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.models.participant import (
@@ -235,7 +236,8 @@ def test_cannot_update_email_to_already_verified(self, send_email):
         self.alice.update_email('alice@gratipay.com')
         nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gratipay.com')[0]
         self.alice.verify_email('alice@gratipay.com', nonce)
-        self.bob.update_email('alice@gratipay.com')
+        with self.assertRaises(EmailAlreadyTaken):
+            self.bob.update_email('alice@gratipay.com')
         assert self.alice.email_address == 'alice@gratipay.com'
         assert self.bob.get_unverified_email() == None
 
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index c2c7dca3ef..8dba91ce6c 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -6,6 +6,7 @@ import json
 import re
 
 from aspen import Response
+from gratipay.exceptions import ProblemChangingEmail
 
 [-----------------------------------------]
 
@@ -20,8 +21,10 @@ address = request.body['email']
 if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
     raise Response(400)
 
-# Woohoo! valid request, store it!
-email = user.participant.update_email(address)
+try:
+	email = user.participant.update_email(address)
+except ProblemChangingEmail, e:
+	raise Response(400, unicode(e))
 
 [---] application/json via json_dump
 {'email': email}

From 904d31b3776def5c1ad066b62b98ed7bc5439aec Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 13:14:27 +0530
Subject: [PATCH 036/107] Updated JS callback behaviour

---
 js/gratipay/account.js               | 26 ++++++++++++++------------
 www/%username/account/index.html.spt | 19 ++++++++++---------
 www/%username/email.json.spt         |  4 ++--
 3 files changed, 26 insertions(+), 23 deletions(-)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 5cee456819..8526c917a5 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -134,22 +134,24 @@ Gratipay.account.init = function() {
         $this.css('opacity', 0.5);
 
         function success(data) {
-            $('.email-address').text(data.email);
             $('.email').toggle();
             $('.toggle-email').show();
 
-            if (data.email === '') {
-                $('.toggle-email').text('+ Add');  // TODO i18n
-            } else {
-                $('.toggle-email').text('Edit');  // TODO i18n
-            }
-            if (!data.confirmed) {
+            if (data.email && !data.previous_email) {
+                $('.email-address').text(data.email);
                 $('#email-not-verified').show();
+            }
+
+            if (data.email){
                 Gratipay.notification("We've sent a verification link to " + data.email , 'success');
             }
-            else{
-                Gratipay.notification("We've updated your email address" , 'success');
+
+            if (data.email || data.previous_email) {
+                $('.toggle-email').text('Edit');  // TODO i18n
+            } else {
+                $('.toggle-email').text('+ Add');  // TODO i18n
             }
+
             $this.css('opacity', 1);
         }
 
@@ -158,10 +160,10 @@ Gratipay.account.init = function() {
             type: 'POST',
             dataType: 'json',
             success: success,
-            error: function (data) {
+            error: function (e) {
                 $this.css('opacity', 1);
-                Gratipay.notification('Failed to save your email address. '
-                                  + 'Please try again.', 'error');
+                error_message = JSON.parse(e.responseText).error_message_long;
+                Gratipay.notification(error_message || "Couldn't update email address.", 'error');
             },
             data: {email: $('input.email').val()}
         })
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index ec6cd9a2dc..7ca82d44af 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -11,6 +11,7 @@ username = participant.username   # used in footer shared with on/$platform/
                                   # pages
 locked = False
 
+unverified_email = participant.get_unverified_email()
 
 [-----------------------------------------------------------------------------]
 {% extends "templates/profile.html" %}
@@ -156,22 +157,22 @@ locked = False
                         <a class="address email-address" href="javascript:;">
                             {% if participant.email_address %}
                                 {{ participant.email_address }}
-                            {% elif participant.get_unverified_email() %}
-                                {{ participant.get_unverified_email() }}
+                            {% elif participant.unverified_email %}
+                                {{ participant.unverified_email }}
                             {% endif %}
                         </a>
-                        {% if participant.email_address %}
-                            <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>
-                        {% elif participant.get_unverified_email() %}
+                        {% if participant.unverified_email %}
                             <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
+                        {% else %}
+                            <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>
                         {% endif %}
                     </div>
 
                     <form class="email-submit">
                         <div class="address">
                            <input type="email" class="email hidden"
-                                {% if participant.email %}
-                                    value="{{ participant.email.address }}"
+                                {% if participant.email_address or participant.unverified_email %}
+                                    value="{{ participant.email_address or unverified_email }}"
                                 {% endif %}
                             />
                         </div>
@@ -179,7 +180,7 @@ locked = False
                             <button type="submit" class="email hidden">Save</button>
                             <button type="cancel" class="email cancel hidden">Cancel</button>
                         </div>
-                        {% if not participant.email_address and participant.get_unverified_email() %}
+                        {% if not participant.email_address and participant.unverified_email %}
                             <div class="buttons">
                                 <button type="resend" class="email">Resend Email</button>
                             </div>
@@ -188,7 +189,7 @@ locked = False
                 </td>
                 <td class="account-action">
                     <button class="toggle-email">
-                        {% if participant.email_address or participant.get_unverified_email() %}
+                        {% if participant.email_address or participant.unverified_email %}
                             {{ _("Edit") }}
                         {% else %}
                             {{ _("+ Add") }}
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 8dba91ce6c..f33328fb4e 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -19,7 +19,7 @@ address = request.body['email']
 # This checks for exactly one @ and at least one . after @
 # The real validation will happen when we send the email
 if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
-    raise Response(400)
+    raise Response(400, "Invalid email address.")
 
 try:
 	email = user.participant.update_email(address)
@@ -27,4 +27,4 @@ except ProblemChangingEmail, e:
 	raise Response(400, unicode(e))
 
 [---] application/json via json_dump
-{'email': email}
+{'email': email, 'previous_email': user.participant.email_address}

From 0214e51d1808ab82aa1aec427ca2737b525a9979 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 14:31:17 +0530
Subject: [PATCH 037/107] Fixed double nonce problem

When a user updates his email twice and tries to verify with the latest link, the UPDATE statement was updating all the rows to confirmed=true, leading to an integrity error
---
 Makefile                           |  4 ++--
 gratipay/models/participant.py     | 38 ++++++++++++++++++------------
 tests/py/test_verify_email_html.py | 17 +++++++++++++
 3 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/Makefile b/Makefile
index 7cb7bb9ef1..5f42b162b5 100644
--- a/Makefile
+++ b/Makefile
@@ -47,10 +47,10 @@ test-schema: env
 pyflakes: env
 	$(env_bin)/pyflakes bin gratipay tests
 
-test: test-schema pytest
+test: test-schema pytest jstest
 
 pytest: env
-	$(py_test) --cov gratipay ./tests/py/test_participant.py
+	$(py_test) --cov gratipay ./tests/py/
 	@$(MAKE) --no-print-directory pyflakes
 
 retest: env
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index a17599cde5..730ca8db9d 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -572,29 +572,36 @@ def update_email(self, email, confirmed=False):
 
         if confirmed:
             with self.db.get_cursor() as c:
-                # TODO: Invalidate all other emails
-
+                c.run("""
+                    UPDATE emails
+                    SET confirmed=NULL
+                    WHERE participant=%s
+                """, (self.username,))
+                # TODO - check whether someone has verified this already? Very unlikely.
                 r = c.one("""
                     UPDATE emails
-                       SET confirmed = true, mtime = %s
-                     WHERE address = %s
-                 RETURNING address
-                """, (utcnow(), email))
-
-                # TODO: What happens another user has verified this email already?
-                #       Either do something here, or below.
+                       SET confirmed=true, mtime=%s
+                      FROM (SELECT id
+                              FROM emails
+                             WHERE participant=%s
+                               AND address=%s
+                               AND confirmed IS NULL
+                          ORDER BY ctime DESC
+                             LIMIT 1) AS unverified
+                       WHERE emails.id=unverified.id
+                   RETURNING address
+                """, (utcnow(), self.username, email))
 
                 # This could be done by a trigger function.
                 c.run("""
                     UPDATE participants
-                       SET email_address = %s
-                     WHERE username = %s
+                       SET email_address=%s
+                     WHERE username=%s
                 """, (email, self.username))
 
                 self.set_attributes(email_address = r)
             return None
         else:
-            # TODO - check whether someone has verified this already?
             exists = self.db.one("""
                 SELECT COUNT(*)
                   FROM participants
@@ -648,8 +655,8 @@ def get_email_nonce_and_ctime(self, email):
         rec = self.db.one("""
             SELECT nonce, ctime
               FROM emails
-             WHERE participant = %s
-               AND address = %s
+             WHERE participant=%s
+               AND address=%s
           ORDER BY ctime DESC
              LIMIT 1
         """, (self.username, email))
@@ -659,7 +666,8 @@ def get_unverified_email(self):
         return self.db.one("""
             SELECT address
               FROM emails
-             WHERE participant = %s
+             WHERE participant=%s
+               AND confirmed IS NULL
           ORDER BY ctime DESC
              LIMIT 1
         """, (self.username,))
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
index f63b322c69..7931086c51 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email_html.py
@@ -78,3 +78,20 @@ def test_nonce_is_regenerated_on_update(self):
         self.change_email_address('alice@gmail.com', participant.username)
         nonce2 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
         assert nonce1 != nonce2
+
+    def test_latest_nonce_is_considered(self):
+        participant = self.make_participant('alice', claimed_time="now")
+        self.change_email_address('alice@gmail.com', participant.username)
+        nonce1 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
+        self.change_email_address('alice@gmail.com', participant.username)
+        nonce2 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
+
+        self.verify_email(participant.username, 'alice@gmail.com', nonce1)
+        expected = None
+        actual = Participant.from_username(participant.username).email_address
+        assert expected == actual
+
+        self.verify_email(participant.username, 'alice@gmail.com', nonce2)
+        expected = 'alice@gmail.com'
+        actual = Participant.from_username(participant.username).email_address
+        assert expected == actual

From ee6b490403a390eae9a680e241f0f2a356886600 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 14:54:38 +0530
Subject: [PATCH 038/107] Fixed JS behaviour for resending verification email

---
 js/gratipay/account.js               |  7 +++++--
 tests/py/test_pages.py               | 19 ++++++++++++++++++-
 www/%username/account/index.html.spt | 14 +++++++-------
 3 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 8526c917a5..888471197e 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -134,8 +134,11 @@ Gratipay.account.init = function() {
         $this.css('opacity', 0.5);
 
         function success(data) {
-            $('.email').toggle();
-            $('.toggle-email').show();
+            if ($this.data('resend') != 'true')
+            {
+                $('.email').toggle();
+                $('.toggle-email').show();
+            }
 
             if (data.email && !data.previous_email) {
                 $('.email-address').text(data.email);
diff --git a/tests/py/test_pages.py b/tests/py/test_pages.py
index 45e3e9b1a7..3643d8129e 100644
--- a/tests/py/test_pages.py
+++ b/tests/py/test_pages.py
@@ -137,4 +137,21 @@ def test_giving_page_shows_cancelled(self):
         expected1 = "bob"
         expected2 = "cancelled 1 tip"
         assert expected1 in actual
-        assert expected2 in actual
\ No newline at end of file
+        assert expected2 in actual
+
+    def test_account_page_verified_email(self):
+        self.make_participant('alice', claimed_time='now')
+        self.db.run("UPDATE participants SET email_address = 'alice@gmail.com' WHERE username = 'alice'")
+        actual = self.client.GET("/alice/account/", auth_as="alice").body
+        expected = "alice@gmail.com"
+        assert expected in actual
+
+    def test_account_page_unverified_email(self):
+        self.make_participant('alice', claimed_time='now')
+        self.db.run("""
+            INSERT INTO emails (participant, address)
+                 VALUES ('alice', 'alice@gmail.com')
+        """)
+        actual = self.client.GET("/alice/account/", auth_as="alice").body
+        expected = "alice@gmail.com"
+        assert expected in actual
\ No newline at end of file
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 7ca82d44af..2e6f594ce3 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -157,11 +157,11 @@ unverified_email = participant.get_unverified_email()
                         <a class="address email-address" href="javascript:;">
                             {% if participant.email_address %}
                                 {{ participant.email_address }}
-                            {% elif participant.unverified_email %}
-                                {{ participant.unverified_email }}
+                            {% elif unverified_email %}
+                                {{ unverified_email }}
                             {% endif %}
                         </a>
-                        {% if participant.unverified_email %}
+                        {% if unverified_email %}
                             <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
                         {% else %}
                             <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>
@@ -171,7 +171,7 @@ unverified_email = participant.get_unverified_email()
                     <form class="email-submit">
                         <div class="address">
                            <input type="email" class="email hidden"
-                                {% if participant.email_address or participant.unverified_email %}
+                                {% if participant.email_address or unverified_email %}
                                     value="{{ participant.email_address or unverified_email }}"
                                 {% endif %}
                             />
@@ -180,16 +180,16 @@ unverified_email = participant.get_unverified_email()
                             <button type="submit" class="email hidden">Save</button>
                             <button type="cancel" class="email cancel hidden">Cancel</button>
                         </div>
-                        {% if not participant.email_address and participant.unverified_email %}
+                        {% if not participant.email_address and unverified_email %}
                             <div class="buttons">
-                                <button type="resend" class="email">Resend Email</button>
+                                <button type="resend" data-resend="true" class="email">Resend Email</button>
                             </div>
                         {% endif %}
                     </form>
                 </td>
                 <td class="account-action">
                     <button class="toggle-email">
-                        {% if participant.email_address or participant.unverified_email %}
+                        {% if participant.email_address or unverified_email %}
                             {{ _("Edit") }}
                         {% else %}
                             {{ _("+ Add") }}

From 208c7665f1f43555b51e395925515fcbb6f03677 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Wed, 22 Oct 2014 15:24:59 +0530
Subject: [PATCH 039/107] Send notice to old email address on email change

---
 gratipay/models/participant.py       |  9 +++++++--
 gratipay/utils/emails.py             | 24 ++++++++++++++++++++++++
 www/%username/account/index.html.spt |  2 +-
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 730ca8db9d..6bf3e660b4 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -564,10 +564,9 @@ def update_email(self, email, confirmed=False):
 
             We return a value only if we've sent a verification email.
         """
-        current_email = self.email_address
 
         # If the email is already confirmed we have nothing to do.
-        if email == current_email:
+        if email == self.email_address:
             return None
 
         if confirmed:
@@ -626,6 +625,12 @@ def update_email(self, email, confirmed=False):
                            , username=self.username
                            , include_unsubscribe=False
                             )
+            if self.email_address:
+                self.send_email( emails.VERIFICATION_NOTICE
+                               , new_email=email
+                               , username=self.username
+                               , include_unsubscribe=False
+                                )
             return email
 
     def verify_email(self, email, nonce):
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 56e9437308..76d3ad0057 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -74,3 +74,27 @@
 
 """,
 )
+
+VERIFICATION_NOTICE = dict(
+    subject="Email change requested on Gratipay",
+    html="""\
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
+    We've received a request to connect <b>{new_email}</b>
+
+    <br>
+
+    to the <b><a href="https://gratipay.com/{username}">{username}</a></b>
+    account on Gratipay. If this wasn't you, contact us at support@gratipay.com.
+
+    <br><br>
+
+
+
+</div>
+""",
+    text="""\
+
+We've received a request to connect {email} to the {username}
+account on Gratipay. If this wasn't you, contact us at support@gratipay.com
+""",
+)
\ No newline at end of file
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 2e6f594ce3..3cfd0d620a 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -161,7 +161,7 @@ unverified_email = participant.get_unverified_email()
                                 {{ unverified_email }}
                             {% endif %}
                         </a>
-                        {% if unverified_email %}
+                        {% if unverified_email and not participant.email_address %}
                             <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
                         {% else %}
                             <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>

From a826986c42ff72ddb2bcbc7bb813e30e7af9ccb1 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Thu, 23 Oct 2014 13:17:26 +0530
Subject: [PATCH 040/107] rename 'confirm' to 'verify' everywhere.

---
 branch.sql                         |  4 ++--
 gratipay/models/participant.py     | 16 ++++++++--------
 tests/py/test_verify_email_html.py |  2 +-
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/branch.sql b/branch.sql
index 194670c35d..abf1a54740 100644
--- a/branch.sql
+++ b/branch.sql
@@ -5,12 +5,12 @@ BEGIN;
     CREATE TABLE emails
     ( id                                serial                      PRIMARY KEY
     , address                           text                        NOT NULL
-    , confirmed                         boolean                     DEFAULT NULL
+    , verified                          boolean                     DEFAULT NULL
     , nonce                             text
     , ctime                             timestamp with time zone    NOT NULL DEFAULT CURRENT_TIMESTAMP
     , mtime                             timestamp with time zone
     , participant                       text                        NOT NULL REFERENCES participants
-    , UNIQUE (address, confirmed) -- One verified email address per person.
+    , UNIQUE (address, verified) -- One verified email address per person.
      );
 
     -- The participants table currently has an `email` attribute of type email_address_with confirmation
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 6bf3e660b4..d189264fde 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -551,40 +551,40 @@ def update_avatar(self):
         """, (self.username,))
         self.set_attributes(avatar_url=avatar_url)
 
-    def update_email(self, email, confirmed=False):
+    def update_email(self, email, verify=False):
         """
             Update the email address of a participant.
 
             This could be called when
             1) Adding a new email address
             2) Resending the verification email for an unverified email address
-            3) Confirming an email address
+            3) Verifying an email address
 
             In case 3, we UPDATE rows. In case 1 and 2, we're just INSERTing.
 
             We return a value only if we've sent a verification email.
         """
 
-        # If the email is already confirmed we have nothing to do.
+        # If the email is already verified we have nothing to do.
         if email == self.email_address:
             return None
 
-        if confirmed:
+        if verify:
             with self.db.get_cursor() as c:
                 c.run("""
                     UPDATE emails
-                    SET confirmed=NULL
+                    SET verified=NULL
                     WHERE participant=%s
                 """, (self.username,))
                 # TODO - check whether someone has verified this already? Very unlikely.
                 r = c.one("""
                     UPDATE emails
-                       SET confirmed=true, mtime=%s
+                       SET verified=true, mtime=%s
                       FROM (SELECT id
                               FROM emails
                              WHERE participant=%s
                                AND address=%s
-                               AND confirmed IS NULL
+                               AND verified IS NULL
                           ORDER BY ctime DESC
                              LIMIT 1) AS unverified
                        WHERE emails.id=unverified.id
@@ -672,7 +672,7 @@ def get_unverified_email(self):
             SELECT address
               FROM emails
              WHERE participant=%s
-               AND confirmed IS NULL
+               AND verified IS NULL
           ORDER BY ctime DESC
              LIMIT 1
         """, (self.username,))
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email_html.py
index 7931086c51..d98b1ac1af 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email_html.py
@@ -39,7 +39,7 @@ def test_verify_email(self):
         actual = Participant.from_username(participant.username).email_address
         assert expected == actual
 
-    def test_confirmed_email_is_not_changed_after_update(self):
+    def test_verified_email_is_not_changed_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
         self.change_email_address('alice@gmail.com', participant.username)
         nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]

From 37300cc189f61548e9e4c7979d49a55bb7ee7f43 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Thu, 13 Nov 2014 13:25:34 +0530
Subject: [PATCH 041/107] forget the trigger function, add check for already
 verified

---
 branch.sql                     |  5 -----
 gratipay/models/participant.py | 22 +++++++++++-----------
 2 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/branch.sql b/branch.sql
index abf1a54740..6c9ec2c01c 100644
--- a/branch.sql
+++ b/branch.sql
@@ -1,7 +1,4 @@
 BEGIN;
-    -- TODO: Migrate the existing emails - there are 766 users with emails attached.
-    --       This is to be done before we can delete the existing emails and email types.
-
     CREATE TABLE emails
     ( id                                serial                      PRIMARY KEY
     , address                           text                        NOT NULL
@@ -19,6 +16,4 @@ BEGIN;
     -- All unverified email stuff happens in the emails table and won't touch this attribute.
 
     ALTER TABLE participants ADD COLUMN email_address text;
-
-    -- TODO: Add a trigger function to update the email attribute on the user model?.
 END;
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index d189264fde..571876bd82 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -569,6 +569,15 @@ def update_email(self, email, verify=False):
         if email == self.email_address:
             return None
 
+        exists = self.db.one("""
+            SELECT COUNT(*)
+              FROM participants
+             WHERE email_address=%s
+        """, (email,))
+        if exists:
+            raise EmailAlreadyTaken(email)
+            return None
+
         if verify:
             with self.db.get_cursor() as c:
                 c.run("""
@@ -576,7 +585,7 @@ def update_email(self, email, verify=False):
                     SET verified=NULL
                     WHERE participant=%s
                 """, (self.username,))
-                # TODO - check whether someone has verified this already? Very unlikely.
+
                 r = c.one("""
                     UPDATE emails
                        SET verified=true, mtime=%s
@@ -591,24 +600,15 @@ def update_email(self, email, verify=False):
                    RETURNING address
                 """, (utcnow(), self.username, email))
 
-                # This could be done by a trigger function.
                 c.run("""
                     UPDATE participants
                        SET email_address=%s
                      WHERE username=%s
                 """, (email, self.username))
 
-                self.set_attributes(email_address = r)
+                self.set_attributes(email_address=r)
             return None
         else:
-            exists = self.db.one("""
-                SELECT COUNT(*)
-                  FROM participants
-                 WHERE email_address=%s
-            """, (email,))
-            if exists:
-                raise EmailAlreadyTaken(email)
-                return None
             nonce = str(uuid.uuid4())
             ctime = utcnow()
             with self.db.get_cursor() as c:

From d881efa3eefd7029644b7ddcc8213444792c1e7a Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Thu, 13 Nov 2014 13:30:24 +0530
Subject: [PATCH 042/107] Cleanup

---
 gratipay/models/participant.py                | 30 +++++++++----------
 ...ify_email_html.py => test_verify_email.py} | 23 +++++++-------
 2 files changed, 24 insertions(+), 29 deletions(-)
 rename tests/py/{test_verify_email_html.py => test_verify_email.py} (80%)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 571876bd82..92017024cc 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -619,34 +619,32 @@ def update_email(self, email, verify=False):
                          VALUES (%s, %s, %s, %s)
                 """, (email, nonce, ctime, self.username))
 
-            self.send_email( emails.VERIFICATION_EMAIL
-                           , email=email
-                           , link=self.get_verification_link(email)
-                           , username=self.username
-                           , include_unsubscribe=False
-                            )
+            self.send_email(emails.VERIFICATION_EMAIL,
+                            email=email,
+                            link=self.get_verification_link(email),
+                            username=self.username,
+                            include_unsubscribe=False)
             if self.email_address:
-                self.send_email( emails.VERIFICATION_NOTICE
-                               , new_email=email
-                               , username=self.username
-                               , include_unsubscribe=False
-                                )
+                self.send_email(emails.VERIFICATION_NOTICE,
+                                new_email=email,
+                                username=self.username,
+                                include_unsubscribe=False)
             return email
 
     def verify_email(self, email, nonce):
         if self.email_address and email == self.email_address:
-            return 0 # Verified
+            return 0  # Verified
         if self.get_unverified_email() != email:
-            return 2
+            return 2  # Failed
         expected_nonce, ctime = self.get_email_nonce_and_ctime(email)
         if constant_time_compare(expected_nonce, nonce):
             if (utcnow() - ctime) < EMAIL_HASH_TIMEOUT:
                 self.update_email(email, True)
-                return 0 # Verified
+                return 0  # Verified
             else:
-                return 1 # Expired
+                return 1  # Expired
         else:
-            return 2 # Failed
+            return 2  # Failed
 
     def get_verification_link(self, email):
         scheme = gratipay.canonical_scheme
diff --git a/tests/py/test_verify_email_html.py b/tests/py/test_verify_email.py
similarity index 80%
rename from tests/py/test_verify_email_html.py
rename to tests/py/test_verify_email.py
index d98b1ac1af..1e38d191c3 100644
--- a/tests/py/test_verify_email_html.py
+++ b/tests/py/test_verify_email.py
@@ -16,6 +16,12 @@ def verify_email(self, username, email, nonce, should_fail=False):
         G = self.client.GxT if should_fail else self.client.GET
         return G(url)
 
+    def verify_and_change_email(self, username, old_email, new_email):
+        self.change_email_address(old_email, username)
+        nonce = Participant.from_username(username).get_email_nonce_and_ctime(old_email)[0]
+        self.verify_email(username, old_email, nonce)
+        self.change_email_address(new_email, username)
+
     def test_verify_email_without_adding_email(self):
         participant = self.make_participant('alice')
         response = self.verify_email(participant.username, '', 'sample-nonce', should_fail=True)
@@ -41,30 +47,21 @@ def test_verify_email(self):
 
     def test_verified_email_is_not_changed_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        self.verify_email(participant.username, 'alice@gmail.com', nonce)
-        self.change_email_address('alice@yahoo.com', participant.username)
+        self.verify_and_change_email('alice', 'alice@gmail.com', 'alice@yahoo.com')
         expected = 'alice@gmail.com'
         actual = Participant.from_username(participant.username).email_address
         assert expected == actual
 
-    def test_unverified_email_is_set_changed_after_update(self):
+    def test_unverified_email_is_set_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        self.verify_email(participant.username, 'alice@gmail.com', nonce)
-        self.change_email_address('alice@yahoo.com', participant.username)
+        self.verify_and_change_email('alice', 'alice@gmail.com', 'alice@yahoo.com')
         expected = 'alice@yahoo.com'
         actual = Participant.from_username(participant.username).get_unverified_email()
         assert expected == actual
 
     def test_verify_email_after_update(self):
         participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        self.verify_email(participant.username, 'alice@gmail.com', nonce)
-        self.change_email_address('alice@yahoo.com', participant.username)
+        self.verify_and_change_email('alice', 'alice@gmail.com', 'alice@yahoo.com')
         nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@yahoo.com')[0]
         self.verify_email(participant.username, 'alice@yahoo.com', nonce)
         expected = 'alice@yahoo.com'

From 890ecd8c84d68b67a68cdae25319d8ac8cbec8f7 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 17 Nov 2014 23:27:01 +0100
Subject: [PATCH 043/107] allow having multiple verified and unverified email
 addresses

---
 branch.sql                          |   5 +-
 gratipay/exceptions.py              |  16 ++-
 gratipay/models/participant.py      | 163 +++++++++++++---------------
 www/%username/email.json.spt        |  29 +++--
 www/%username/verify-email.html.spt |   3 -
 5 files changed, 108 insertions(+), 108 deletions(-)

diff --git a/branch.sql b/branch.sql
index 6c9ec2c01c..cd46156262 100644
--- a/branch.sql
+++ b/branch.sql
@@ -7,7 +7,8 @@ BEGIN;
     , ctime                             timestamp with time zone    NOT NULL DEFAULT CURRENT_TIMESTAMP
     , mtime                             timestamp with time zone
     , participant                       text                        NOT NULL REFERENCES participants
-    , UNIQUE (address, verified) -- One verified email address per person.
+    , UNIQUE (address, verified) -- A verified email address can't be linked to multiple participants.
+    , UNIQUE (participant, address)
      );
 
     -- The participants table currently has an `email` attribute of type email_address_with confirmation
@@ -15,5 +16,5 @@ BEGIN;
     -- The column we're going to replace it with is named `email_address`. This is only for **verified** emails.
     -- All unverified email stuff happens in the emails table and won't touch this attribute.
 
-    ALTER TABLE participants ADD COLUMN email_address text;
+    ALTER TABLE participants ADD COLUMN email_address text UNIQUE;
 END;
diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
index 1a2ba61275..adf56212ed 100644
--- a/gratipay/exceptions.py
+++ b/gratipay/exceptions.py
@@ -1,9 +1,13 @@
 """
 This module contains exceptions shared across application code.
+
+TODO i18n of error messages
 """
 
 from __future__ import print_function, unicode_literals
 
+from aspen import Response
+
 
 class ProblemChangingUsername(Exception):
     def __str__(self):
@@ -25,13 +29,19 @@ class UsernameAlreadyTaken(ProblemChangingUsername):
     msg = "The username '{}' is already taken."
 
 
-class ProblemChangingEmail(Exception):
-    def __str__(self):
-        return self.msg.format(self.args[0])
+class ProblemChangingEmail(Response):
+    def __init__(self, *args):
+        Response.__init__(self, 400, self.msg.format(*args))
 
 class EmailAlreadyTaken(ProblemChangingEmail):
     msg = "An account with the email '{}' already exists"
 
+class CannotRemovePrimaryEmail(ProblemChangingEmail):
+    msg = "You cannot remove your primary email address."
+
+class EmailNotVerified(ProblemChangingEmail):
+    msg = "The email address '{}' is not verified."
+
 
 class ProblemChangingNumber(Exception):
     def __str__(self):
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 92017024cc..e01d14af06 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -32,7 +32,9 @@
     NoTippee,
     BadAmount,
     UserDoesntAcceptTips,
-    EmailAlreadyTaken
+    EmailAlreadyTaken,
+    CannotRemovePrimaryEmail,
+    EmailNotVerified,
 )
 
 from gratipay.models import add_event
@@ -551,66 +553,22 @@ def update_avatar(self):
         """, (self.username,))
         self.set_attributes(avatar_url=avatar_url)
 
-    def update_email(self, email, verify=False):
+    def add_email(self, email):
         """
-            Update the email address of a participant.
-
-            This could be called when
+            This is called when
             1) Adding a new email address
             2) Resending the verification email for an unverified email address
-            3) Verifying an email address
-
-            In case 3, we UPDATE rows. In case 1 and 2, we're just INSERTing.
 
-            We return a value only if we've sent a verification email.
+            Returns the number of emails sent.
         """
 
         # If the email is already verified we have nothing to do.
         if email == self.email_address:
-            return None
-
-        exists = self.db.one("""
-            SELECT COUNT(*)
-              FROM participants
-             WHERE email_address=%s
-        """, (email,))
-        if exists:
-            raise EmailAlreadyTaken(email)
-            return None
-
-        if verify:
-            with self.db.get_cursor() as c:
-                c.run("""
-                    UPDATE emails
-                    SET verified=NULL
-                    WHERE participant=%s
-                """, (self.username,))
-
-                r = c.one("""
-                    UPDATE emails
-                       SET verified=true, mtime=%s
-                      FROM (SELECT id
-                              FROM emails
-                             WHERE participant=%s
-                               AND address=%s
-                               AND verified IS NULL
-                          ORDER BY ctime DESC
-                             LIMIT 1) AS unverified
-                       WHERE emails.id=unverified.id
-                   RETURNING address
-                """, (utcnow(), self.username, email))
-
-                c.run("""
-                    UPDATE participants
-                       SET email_address=%s
-                     WHERE username=%s
-                """, (email, self.username))
+            return 0
 
-                self.set_attributes(email_address=r)
-            return None
-        else:
-            nonce = str(uuid.uuid4())
-            ctime = utcnow()
+        nonce = str(uuid.uuid4())
+        ctime = utcnow()
+        try:
             with self.db.get_cursor() as c:
                 add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
                 c.run("""
@@ -618,63 +576,92 @@ def update_email(self, email, verify=False):
                                 (address, nonce, ctime, participant)
                          VALUES (%s, %s, %s, %s)
                 """, (email, nonce, ctime, self.username))
+        except IntegrityError:
+            nonce = self.db.one("""
+                UPDATE emails
+                   SET ctime=%s
+                 WHERE participant=%s
+                   AND address=%s
+                   AND verified IS NULL
+             RETURNING nonce
+            """, (ctime, self.username, email))
+            if not nonce:
+                return self.add_email(email)
 
-            self.send_email(emails.VERIFICATION_EMAIL,
-                            email=email,
-                            link=self.get_verification_link(email),
+        scheme = gratipay.canonical_scheme
+        host = gratipay.canonical_host
+        username = self.username_lower
+        link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
+        self.send_email(emails.VERIFICATION_EMAIL,
+                        email=email,
+                        link=link.format(**locals()),
+                        username=self.username,
+                        include_unsubscribe=False)
+        if self.email_address:
+            self.send_email(emails.VERIFICATION_NOTICE,
+                            new_email=email,
                             username=self.username,
                             include_unsubscribe=False)
-            if self.email_address:
-                self.send_email(emails.VERIFICATION_NOTICE,
-                                new_email=email,
-                                username=self.username,
-                                include_unsubscribe=False)
-            return email
+            return 2
+        return 1
+
+    def update_email(self, email):
+        if not getattr(self.get_email(email), 'verified', False):
+            raise EmailNotVerified(email)
+        username = self.username
+        self.db.run("""
+            UPDATE participants
+               SET email_address=%(email)s
+             WHERE username=%(username)s
+        """, locals())
+        self.set_attributes(email_address=email)
 
     def verify_email(self, email, nonce):
-        if self.email_address and email == self.email_address:
+        r = self.get_email(email)
+        if r and r.verified:
             return 0  # Verified
-        if self.get_unverified_email() != email:
-            return 2  # Failed
-        expected_nonce, ctime = self.get_email_nonce_and_ctime(email)
-        if constant_time_compare(expected_nonce, nonce):
-            if (utcnow() - ctime) < EMAIL_HASH_TIMEOUT:
-                self.update_email(email, True)
+        if r and constant_time_compare(r.nonce, nonce):
+            if (utcnow() - r.ctime) < EMAIL_HASH_TIMEOUT:
+                try:
+                    self.db.run("""
+                        UPDATE emails
+                           SET verified=true, mtime=now(), nonce=NULL
+                         WHERE participant=%s
+                           AND address=%s
+                           AND verified IS NULL
+                    """, (self.username, email))
+                except IntegrityError:
+                    raise EmailAlreadyTaken(email)
+                self.update_email(email)
                 return 0  # Verified
             else:
                 return 1  # Expired
         else:
             return 2  # Failed
 
-    def get_verification_link(self, email):
-        scheme = gratipay.canonical_scheme
-        host = gratipay.canonical_host
-        nonce = self.get_email_nonce_and_ctime(email)[0]
-        username = self.username_lower
-        link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
-        return link.format(**locals())
-
-    def get_email_nonce_and_ctime(self, email):
-        rec = self.db.one("""
-            SELECT nonce, ctime
+    def get_email(self, email):
+        return self.db.one("""
+            SELECT *
               FROM emails
              WHERE participant=%s
                AND address=%s
-          ORDER BY ctime DESC
-             LIMIT 1
         """, (self.username, email))
-        return rec.nonce, rec.ctime
 
-    def get_unverified_email(self):
-        return self.db.one("""
-            SELECT address
+    def get_emails(self):
+        return self.db.all("""
+            SELECT *
               FROM emails
              WHERE participant=%s
-               AND verified IS NULL
-          ORDER BY ctime DESC
-             LIMIT 1
         """, (self.username,))
 
+    def remove_email(self, address):
+        if address == self.email_address:
+            raise CannotRemovePrimaryEmail()
+        with self.db.get_cursor() as c:
+            add_event(c, 'participant', dict(id=self.id, action='remove', values=dict(email=address)))
+            c.run("DELETE FROM emails WHERE participant=%s AND address=%s",
+                  (self.username, address))
+
     def send_email(self, message, email=None, **params):
         header = emails.HEADER
         include_unsubscribe = params.pop('include_unsubscribe', True)
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index f33328fb4e..b3acdec596 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -1,30 +1,35 @@
 """
-Change the currently authenticated user's email address.
-This will need to send a confirmation email in the future.
+Manages the authenticated user's email addresses.
 """
-import json
 import re
 
 from aspen import Response
 from gratipay.exceptions import ProblemChangingEmail
+from gratipay.utils import get_participant
+
+email_re = re.compile(r'^[^@]+@[^@]+\.[^@]+$')
 
 [-----------------------------------------]
 
-if user.ANON:
-    raise Response(404)
 request.allow("POST")
+participant = get_participant(request, restrict=True)
 
-address = request.body['email']
+action = request.body['action']
+address = request.body['address']
 
 # This checks for exactly one @ and at least one . after @
 # The real validation will happen when we send the email
-if not re.match(r"[^@]+@[^@]+\.[^@]+", address):
+if not email_re.match(address):
     raise Response(400, "Invalid email address.")
 
-try:
-	email = user.participant.update_email(address)
-except ProblemChangingEmail, e:
-	raise Response(400, unicode(e))
+if action in ('add-email', 'resend'):
+    r = participant.add_email(address)
+elif action == 'set-primary':
+    r = participant.update_email(address)
+elif action == 'remove':
+    r = participant.remove_email(address)
+else:
+    raise Response(400, 'unknown action "%s"' % action)
 
 [---] application/json via json_dump
-{'email': email, 'previous_email': user.participant.email_address}
+r
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index d499179b5f..d74e4afd3d 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -12,9 +12,6 @@ qs = request.line.uri.querystring
 nonce = qs.get('nonce', '')
 email = qs.get('email', '')
 
-if not participant.get_unverified_email():
-    raise Response(404)
-
 result = participant.verify_email(email, nonce)
 
 [-----------------------------------------------------------------------------]

From 88a0787fa0a676724ce0981017313fea19fba59f Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 17 Nov 2014 23:28:49 +0100
Subject: [PATCH 044/107] implement UI for multiple email addresses

---
 js/gratipay/account.js               | 95 +++++++---------------------
 scss/modules.scss                    | 30 ++++++++-
 www/%username/account/index.html.spt | 74 ++++++----------------
 3 files changed, 73 insertions(+), 126 deletions(-)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 888471197e..f9bcb5c635 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -119,87 +119,40 @@ Gratipay.account.init = function() {
         $.post('../api-key.json', {action: 'show'}, callback);
     });
 
-    // Wire up email address input.
-    // ============================
-    $('.toggle-email').on("click", function() {
-        $('.email').toggle();
-        $('.toggle-email').hide();
-        $('input.email').focus();
-    });
-
-    // Wire up email form.
-    $('.email-submit').on('click', '[type=submit]', function() {
+    // Wire up email addresses list.
+    // =============================
+    $('.emails button').prop('disabled', false);
+    $('.emails button').on('click', function() {
         var $this = $(this);
+        var action = this.className;
+        var address = $this.parent().data('email') || $('input.add-email').val();
 
-        $this.css('opacity', 0.5);
-
-        function success(data) {
-            if ($this.data('resend') != 'true')
-            {
-                $('.email').toggle();
-                $('.toggle-email').show();
-            }
-
-            if (data.email && !data.previous_email) {
-                $('.email-address').text(data.email);
-                $('#email-not-verified').show();
-            }
-
-            if (data.email){
-                Gratipay.notification("We've sent a verification link to " + data.email , 'success');
-            }
-
-            if (data.email || data.previous_email) {
-                $('.toggle-email').text('Edit');  // TODO i18n
-            } else {
-                $('.toggle-email').text('+ Add');  // TODO i18n
-            }
-
-            $this.css('opacity', 1);
-        }
+        $this.prop('disabled', true);
 
         $.ajax({
             url: '../email.json',
             type: 'POST',
+            data: {action: action, address: address},
             dataType: 'json',
-            success: success,
+            success: function (data) {
+                $this.prop('disabled', false);
+                if (action == 'add-email') {
+                    window.location.reload();
+                } else if (action == 'set-primary') {
+                    $('.emails li').removeClass('primary');
+                    $this.parent().addClass('primary');
+                } else if (action == 'remove') {
+                    $this.parent().fadeOut();
+                } else {
+                    Gratipay.notification("Success" , 'success');
+                }
+            },
             error: function (e) {
-                $this.css('opacity', 1);
+                $this.prop('disabled', false);
                 error_message = JSON.parse(e.responseText).error_message_long;
-                Gratipay.notification(error_message || "Couldn't update email address.", 'error');
+                Gratipay.notification(error_message || "Failure", 'error');
             },
-            data: {email: $('input.email').val()}
-        })
-
-        return false;
-    })
-    .on('click', '[type=cancel]', function () {
-        $('.email').toggle();
-        $('.toggle-email').show();
-
-        return false;
-    }).on('click', '[type=resend]', function () {
-        var $this = $(this);
-        $this.css('opacity', 0.5);
-
-        function success(data) {
-            Gratipay.notification("We've sent a verification link to " + data.email , 'success');
-            $this.css('opacity', 1);
-        }
-
-        $.ajax({
-            url: '../email.json',
-            type: 'POST',
-            dataType: 'json',
-            success: success,
-            error: function (data) {
-                $this.css('opacity', 1);
-                Gratipay.notification('Failed to save your email address. '
-                                  + 'Please try again.', 'error');
-            },
-            data: {email: $('input.email').val()}
-        })
-        return false;
+        });
     });
 
 
diff --git a/scss/modules.scss b/scss/modules.scss
index 56814ac88a..54fa8e5016 100644
--- a/scss/modules.scss
+++ b/scss/modules.scss
@@ -305,4 +305,32 @@ td.dnt-value {
   padding-right: 8px;
 }
 
-
+.emails {
+    .label-primary, .set-primary { display: none; }
+    .verified {
+        .label-unverified, .resend { display: none; }
+        .set-primary { display: inline-block; }
+    }
+    .primary {
+        .set-primary, .remove { display: none; }
+        .label-primary { display: inline; }
+    }
+    li {
+        list-style: square inside;
+        margin: 0 0 0.5em 0.5em;
+    }
+    .label-primary, .label-unverified {
+        font-size: 90%;
+        margin-left: 0.5em;
+    }
+    .label-primary {
+        color: #164a9a;
+    }
+    .label-unverified {
+        color: #aaa;
+    }
+    li button {
+        float: right;
+        margin-left: 5px;
+    }
+}
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 3cfd0d620a..5b81cf9ed1 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -11,7 +11,7 @@ username = participant.username   # used in footer shared with on/$platform/
                                   # pages
 locked = False
 
-unverified_email = participant.get_unverified_email()
+emails = participant.get_emails()
 
 [-----------------------------------------------------------------------------]
 {% extends "templates/profile.html" %}
@@ -145,59 +145,25 @@ unverified_email = participant.get_unverified_email()
             </table>
         {% endif %}
 
-        <h2>{{ _("Email Settings") }}</h2>
-        <table class="accounts">
-            <tr>
-                <td class="account-type">
-                    <img src="{{ website.asset('email.png') }}" />
-                </td>
-                <td class="account-details">
-                    <div class="account-type">{{ _("Email Address (Private)") }}</div>
-                    <div class="email">
-                        <a class="address email-address" href="javascript:;">
-                            {% if participant.email_address %}
-                                {{ participant.email_address }}
-                            {% elif unverified_email %}
-                                {{ unverified_email }}
-                            {% endif %}
-                        </a>
-                        {% if unverified_email and not participant.email_address %}
-                            <span class="none" id="email-not-verified">{{ _("(Unverified)") }}</span>
-                        {% else %}
-                            <span class="none hidden" id="email-not-verified">{{ _("(Unverified)") }}</span>
-                        {% endif %}
-                    </div>
-
-                    <form class="email-submit">
-                        <div class="address">
-                           <input type="email" class="email hidden"
-                                {% if participant.email_address or unverified_email %}
-                                    value="{{ participant.email_address or unverified_email }}"
-                                {% endif %}
-                            />
-                        </div>
-                        <div class="buttons">
-                            <button type="submit" class="email hidden">Save</button>
-                            <button type="cancel" class="email cancel hidden">Cancel</button>
-                        </div>
-                        {% if not participant.email_address and unverified_email %}
-                            <div class="buttons">
-                                <button type="resend" data-resend="true" class="email">Resend Email</button>
-                            </div>
-                        {% endif %}
-                    </form>
-                </td>
-                <td class="account-action">
-                    <button class="toggle-email">
-                        {% if participant.email_address or unverified_email %}
-                            {{ _("Edit") }}
-                        {% else %}
-                            {{ _("+ Add") }}
-                        {% endif %}
-                    </button>
-                </td>
-            </tr>
-        </table>
+        <div class="emails">
+            <h2>{{ _("Email Addresses (Private)") }}</h2>
+            <ul>
+            {% for email in emails %}
+                {% set is_primary = email.address == participant.email_address %}
+                <li class="{{ 'primary' if is_primary }} {{ 'verified' if email.verified }}"
+                    data-email="{{ email.address|e }}">
+                    {{ email.address|e }}
+                    <span class="label-primary">{{ _("Primary") }}</span>
+                    <span class="label-unverified">{{ _("Unverified") }}</span>
+                    <button class="remove">{{ _("Remove") }}</button>
+                    <button class="resend">{{ _("Resend Email") }}</button>
+                    <button class="set-primary">{{ _("Set as primary") }}</button>
+                </li>
+            {% endfor %}
+            </ul>
+            <input class="add-email" name="email" type="email" placeholder="sam@example.net" />
+            <button class="add-email">{{ _("Add email address") }}</button>
+        </div>
 
 
         <!-- API  -->

From 5fe231fa4a7aba31d8228fdbc2987f86bbbefbd4 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 17 Nov 2014 23:29:18 +0100
Subject: [PATCH 045/107] fix and regroup the email tests

---
 tests/py/test_email.py        | 136 ++++++++++++++++++++++++++++++++++
 tests/py/test_email_json.py   |  39 ----------
 tests/py/test_pages.py        |  17 -----
 tests/py/test_participant.py  |  57 --------------
 tests/py/test_verify_email.py |  94 -----------------------
 5 files changed, 136 insertions(+), 207 deletions(-)
 create mode 100644 tests/py/test_email.py
 delete mode 100644 tests/py/test_email_json.py
 delete mode 100644 tests/py/test_verify_email.py

diff --git a/tests/py/test_email.py b/tests/py/test_email.py
new file mode 100644
index 0000000000..12fd4dd7ba
--- /dev/null
+++ b/tests/py/test_email.py
@@ -0,0 +1,136 @@
+import json
+
+import mock
+
+from gratipay.exceptions import EmailAlreadyTaken
+from gratipay.models.participant import Participant
+from gratipay.testing import Harness
+
+
+class TestEmail(Harness):
+
+    def setUp(self):
+        self.alice = self.make_participant('alice', claimed_time='now')
+
+    @mock.patch.object(Participant, 'send_email')
+    def hit_email_spt(self, action, address, send_email, user='alice', should_fail=False):
+        P = self.client.PxST if should_fail else self.client.POST
+        data = {'action': action, 'address': address}
+        return P('/alice/email.json', data, auth_as=user)
+
+    def verify_email(self, email, nonce, username='alice', should_fail=False):
+        url = '/%s/verify-email.html?email=%s&nonce=%s' % (username, email, nonce)
+        G = self.client.GxT if should_fail else self.client.GET
+        return G(url)
+
+    def verify_and_change_email(self, old_email, new_email, username='alice'):
+        self.hit_email_spt('add-email', old_email)
+        nonce = Participant.from_username(username).get_email(old_email).nonce
+        self.verify_email(old_email, nonce)
+        self.hit_email_spt('add-email', new_email)
+
+    def test_participant_can_add_email(self):
+        response = self.hit_email_spt('add-email', 'alice@gratipay.com')
+        actual = json.loads(response.body)
+        assert actual == 1
+
+    def test_post_anon_returns_403(self):
+        response = self.hit_email_spt('add-email', 'anon@gratipay.com', user=None, should_fail=True)
+        assert response.code == 403
+
+    def test_post_with_no_at_symbol_is_400(self):
+        response = self.hit_email_spt('add-email', 'gratipay.com', should_fail=True)
+        assert response.code == 400
+
+    def test_post_with_no_period_symbol_is_400(self):
+        response = self.hit_email_spt('add-email', 'test@gratipay', should_fail=True)
+        assert response.code == 400
+
+    def test_verify_email_without_adding_email(self):
+        response = self.verify_email('', 'sample-nonce')
+        assert 'Failed to verify' in response.body
+
+    def test_verify_email_wrong_nonce(self):
+        self.hit_email_spt('add-email', 'alice@example.com')
+        nonce = 'fake-nonce'
+        r = self.alice.verify_email('alice@gratipay.com', nonce)
+        assert r == 2
+        self.verify_email('alice@example.com', nonce)
+        expected = None
+        actual = Participant.from_username('alice').email_address
+        assert expected == actual
+
+    def test_verify_email_expired_nonce(self):
+        address = 'alice@example.com'
+        self.hit_email_spt('add-email', address)
+        self.db.run("""
+            UPDATE emails
+               SET ctime = (now() - INTERVAL '25 hours')
+             WHERE participant = 'alice'
+        """)
+        nonce = self.alice.get_email(address).nonce
+        r = self.alice.verify_email(address, nonce)
+        assert r == 1
+        actual = Participant.from_username('alice').email_address
+        assert actual == None
+
+    def test_verify_email(self):
+        self.hit_email_spt('add-email', 'alice@example.com')
+        nonce = self.alice.get_email('alice@example.com').nonce
+        self.verify_email('alice@example.com', nonce)
+        expected = 'alice@example.com'
+        actual = Participant.from_username('alice').email_address
+        assert expected == actual
+
+    def test_verified_email_is_not_changed_after_update(self):
+        self.verify_and_change_email('alice@example.com', 'alice@example.net')
+        expected = 'alice@example.com'
+        actual = Participant.from_username('alice').email_address
+        assert expected == actual
+
+    def test_get_emails(self):
+        self.verify_and_change_email('alice@example.com', 'alice@example.net')
+        emails = self.alice.get_emails()
+        assert len(emails) == 2
+
+    def test_verify_email_after_update(self):
+        self.verify_and_change_email('alice@example.com', 'alice@example.net')
+        nonce = self.alice.get_email('alice@example.net').nonce
+        self.verify_email('alice@example.net', nonce)
+        expected = 'alice@example.net'
+        actual = Participant.from_username('alice').email_address
+        assert expected == actual
+
+    def test_nonce_is_reused_when_resending_email(self):
+        self.hit_email_spt('add-email', 'alice@example.com')
+        nonce1 = self.alice.get_email('alice@example.com').nonce
+        self.hit_email_spt('resend', 'alice@example.com')
+        nonce2 = self.alice.get_email('alice@example.com').nonce
+        assert nonce1 == nonce2
+
+    @mock.patch.object(Participant, 'send_email')
+    def test_cannot_update_email_to_already_verified(self, send_email):
+        bob = self.make_participant('bob', claimed_time='now')
+        self.alice.add_email('alice@gratipay.com')
+        nonce = self.alice.get_email('alice@gratipay.com').nonce
+        self.alice.verify_email('alice@gratipay.com', nonce)
+        with self.assertRaises(EmailAlreadyTaken):
+            bob.update_email('alice@gratipay.com')
+        assert self.alice.email_address == 'alice@gratipay.com'
+
+    @mock.patch.object(Participant, 'send_email')
+    def test_can_verify_email(self, send_email):
+        email = 'alice@gratipay.com'
+        self.alice.add_email(email)
+        nonce = self.alice.get_email(email).nonce
+        r = self.alice.verify_email(email, nonce)
+        assert r == 0
+        actual = Participant.from_username('alice').email_address
+        expected = 'alice@gratipay.com'
+        assert actual == expected
+
+    def test_account_page_shows_emails(self):
+        self.verify_and_change_email('alice@example.com', 'alice@example.net')
+        body = self.client.GET("/alice/account/", auth_as="alice").body
+        assert 'alice@example.com' in body
+        assert 'alice@example.net' in body
diff --git a/tests/py/test_email_json.py b/tests/py/test_email_json.py
deleted file mode 100644
index 3f63566c78..0000000000
--- a/tests/py/test_email_json.py
+++ /dev/null
@@ -1,39 +0,0 @@
-from __future__ import unicode_literals
-
-import json
-
-from gratipay.testing import Harness
-
-class TestEmailJson(Harness):
-
-    def change_email_address(self, address, user='alice', should_fail=True):
-        self.make_participant("alice")
-
-        if should_fail:
-            response = self.client.PxST("/alice/email.json"
-                , {'email': address,}
-                , auth_as=user
-            )
-        else:
-            response = self.client.POST("/alice/email.json"
-                , {'email': address,}
-                , auth_as=user
-            )
-        return response
-
-    def test_participant_can_change_email(self):
-        response = self.change_email_address('alice@gratipay.com', should_fail=False)
-        actual = json.loads(response.body)['email']
-        assert actual == 'alice@gratipay.com', actual
-
-    def test_post_anon_returns_404(self):
-        response = self.change_email_address('anon@gratipay.com', user=None)
-        assert response.code == 404, response.code
-
-    def test_post_with_no_at_symbol_is_400(self):
-        response = self.change_email_address('gratipay.com')
-        assert response.code == 400, response.code
-
-    def test_post_with_no_period_symbol_is_400(self):
-        response = self.change_email_address('test@gratipay')
-        assert response.code == 400, response.code
diff --git a/tests/py/test_pages.py b/tests/py/test_pages.py
index 3643d8129e..7880a46e05 100644
--- a/tests/py/test_pages.py
+++ b/tests/py/test_pages.py
@@ -138,20 +138,3 @@ def test_giving_page_shows_cancelled(self):
         expected2 = "cancelled 1 tip"
         assert expected1 in actual
         assert expected2 in actual
-
-    def test_account_page_verified_email(self):
-        self.make_participant('alice', claimed_time='now')
-        self.db.run("UPDATE participants SET email_address = 'alice@gmail.com' WHERE username = 'alice'")
-        actual = self.client.GET("/alice/account/", auth_as="alice").body
-        expected = "alice@gmail.com"
-        assert expected in actual
-
-    def test_account_page_unverified_email(self):
-        self.make_participant('alice', claimed_time='now')
-        self.db.run("""
-            INSERT INTO emails (participant, address)
-                 VALUES ('alice', 'alice@gmail.com')
-        """)
-        actual = self.client.GET("/alice/account/", auth_as="alice").body
-        expected = "alice@gmail.com"
-        assert expected in actual
\ No newline at end of file
diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index 8b27e610c4..9f7bb530cd 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -4,7 +4,6 @@
 from decimal import Decimal
 import random
 
-import mock
 import pytest
 
 from aspen.utils import utcnow
@@ -19,7 +18,6 @@
     NoSelfTipping,
     NoTippee,
     BadAmount,
-    EmailAlreadyTaken
 )
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.models.participant import (
@@ -224,61 +222,6 @@ def test_john_is_plural(self):
         actual = Participant.from_username('john').IS_PLURAL
         assert actual == expected
 
-    @mock.patch.object(Participant, 'send_email')
-    def test_can_update_email(self, send_email):
-        self.alice.update_email('alice@gratipay.com')
-        expected = 'alice@gratipay.com'
-        actual = self.alice.get_unverified_email()
-        assert actual == expected
-
-    @mock.patch.object(Participant, 'send_email')
-    def test_cannot_update_email_to_already_verified(self, send_email):
-        self.alice.update_email('alice@gratipay.com')
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gratipay.com')[0]
-        self.alice.verify_email('alice@gratipay.com', nonce)
-        with self.assertRaises(EmailAlreadyTaken):
-            self.bob.update_email('alice@gratipay.com')
-        assert self.alice.email_address == 'alice@gratipay.com'
-        assert self.bob.get_unverified_email() == None
-
-    @mock.patch.object(Participant, 'send_email')
-    def test_can_verify_email(self, send_email):
-        self.alice.update_email('alice@gratipay.com')
-        email = Participant.from_username('alice').get_unverified_email()
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime(email)[0]
-        r = self.alice.verify_email(email, nonce)
-        assert r == 0
-        actual = Participant.from_username('alice').email_address
-        expected = 'alice@gratipay.com'
-        assert actual == expected
-
-    @mock.patch.object(Participant, 'send_email')
-    def test_cannot_verify_email_with_wrong_nonce(self, send_email):
-        self.alice.update_email('alice@gratipay.com')
-        nonce = "some wrong nonce"
-        r = self.alice.verify_email("alice@gratipay.com", nonce)
-        assert r == 2
-        actual = Participant.from_username('alice').email_address
-        assert actual == None
-
-    @mock.patch.object(Participant, 'send_email')
-    def test_cannot_verify_email_with_expired_nonce(self, send_email):
-        self.alice.update_email('alice@gratipay.com')
-        email = self.db.one("""
-            UPDATE emails
-               SET ctime = (now() - INTERVAL '25 hours')
-             WHERE participant = 'alice'
-         RETURNING address
-        """)
-        nonce = self.alice.get_email_nonce_and_ctime(email)[0]
-        r = self.alice.verify_email("alice@gratipay.com", nonce)
-        assert r == 1
-        actual = Participant.from_username('alice').email_address
-        assert actual == None
-        actual = Participant.from_username('alice').get_unverified_email()
-        expected = 'alice@gratipay.com'
-        assert actual == expected
-
     def test_cant_take_over_claimed_participant_without_confirmation(self):
         with self.assertRaises(NeedConfirmation):
             self.alice.take_over(('twitter', str(self.bob.id)))
diff --git a/tests/py/test_verify_email.py b/tests/py/test_verify_email.py
deleted file mode 100644
index 1e38d191c3..0000000000
--- a/tests/py/test_verify_email.py
+++ /dev/null
@@ -1,94 +0,0 @@
-import mock
-
-from gratipay.models.participant import Participant
-from gratipay.testing import Harness
-
-
-class TestForVerifyEmail(Harness):
-
-    @mock.patch.object(Participant, 'send_email')
-    def change_email_address(self, address, username, send_email):
-        url = "/%s/email.json" % username
-        return self.client.POST(url, {'email': address}, auth_as=username)
-
-    def verify_email(self, username, email, nonce, should_fail=False):
-        url = '/%s/verify-email.html?email=%s&nonce=%s' % (username, email, nonce)
-        G = self.client.GxT if should_fail else self.client.GET
-        return G(url)
-
-    def verify_and_change_email(self, username, old_email, new_email):
-        self.change_email_address(old_email, username)
-        nonce = Participant.from_username(username).get_email_nonce_and_ctime(old_email)[0]
-        self.verify_email(username, old_email, nonce)
-        self.change_email_address(new_email, username)
-
-    def test_verify_email_without_adding_email(self):
-        participant = self.make_participant('alice')
-        response = self.verify_email(participant.username, '', 'sample-nonce', should_fail=True)
-        assert response.code == 404
-
-    def test_verify_email_wrong_nonce(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        self.verify_email(participant.username, 'alice@gmail.com', 'sample-nonce')
-        expected = None
-        actual = Participant.from_username(participant.username).email_address
-        assert expected == actual
-
-    def test_verify_email(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce = Participant.from_username(participant.username)
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        self.verify_email(participant.username, 'alice@gmail.com', nonce)
-        expected = 'alice@gmail.com'
-        actual = Participant.from_username(participant.username).email_address
-        assert expected == actual
-
-    def test_verified_email_is_not_changed_after_update(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.verify_and_change_email('alice', 'alice@gmail.com', 'alice@yahoo.com')
-        expected = 'alice@gmail.com'
-        actual = Participant.from_username(participant.username).email_address
-        assert expected == actual
-
-    def test_unverified_email_is_set_after_update(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.verify_and_change_email('alice', 'alice@gmail.com', 'alice@yahoo.com')
-        expected = 'alice@yahoo.com'
-        actual = Participant.from_username(participant.username).get_unverified_email()
-        assert expected == actual
-
-    def test_verify_email_after_update(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.verify_and_change_email('alice', 'alice@gmail.com', 'alice@yahoo.com')
-        nonce = Participant.from_username('alice').get_email_nonce_and_ctime('alice@yahoo.com')[0]
-        self.verify_email(participant.username, 'alice@yahoo.com', nonce)
-        expected = 'alice@yahoo.com'
-        actual = Participant.from_username(participant.username).email_address
-        assert expected == actual
-
-    def test_nonce_is_regenerated_on_update(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce1 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce2 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        assert nonce1 != nonce2
-
-    def test_latest_nonce_is_considered(self):
-        participant = self.make_participant('alice', claimed_time="now")
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce1 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-        self.change_email_address('alice@gmail.com', participant.username)
-        nonce2 = Participant.from_username('alice').get_email_nonce_and_ctime('alice@gmail.com')[0]
-
-        self.verify_email(participant.username, 'alice@gmail.com', nonce1)
-        expected = None
-        actual = Participant.from_username(participant.username).email_address
-        assert expected == actual
-
-        self.verify_email(participant.username, 'alice@gmail.com', nonce2)
-        expected = 'alice@gmail.com'
-        actual = Participant.from_username(participant.username).email_address
-        assert expected == actual

From 03bfd2059cfaa7043cbcd941465df6b790f84726 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Tue, 18 Nov 2014 14:51:46 +0100
Subject: [PATCH 046/107] add `branch.py` script for initial email burst

---
 branch.py | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 branch.py

diff --git a/branch.py b/branch.py
new file mode 100644
index 0000000000..19b886f167
--- /dev/null
+++ b/branch.py
@@ -0,0 +1,89 @@
+"""
+This is a one-off script to populate the new `emails` table using the addresses
+we have in `participants` and `elsewhere`.
+"""
+from __future__ import division, print_function, unicode_literals
+
+import uuid
+
+from aspen.utils import utcnow
+import gratipay.wireup
+
+env = gratipay.wireup.env()
+db = gratipay.wireup.db(env)
+gratipay.wireup.mail(env)
+
+
+INITIAL_EMAIL = dict(
+    subject="Connect to {username} on Gratipay?",
+    html="""\
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
+    We're working on adding email notifications to Gratipay (formerly Gittip)
+    and we're sending this email to confirm that you (<b>{email}</b>)
+    <br>
+    are the owner of the <b><a href="https://gratipay.com/{username}">{username}</a></b>
+    account on Gratipay. Sound familiar?
+    <br>
+    <br>
+    <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
+
+</div>
+""",
+    text="""\
+
+We're working on adding email notifications to Gratipay (formerly Gittip)
+and we're sending this email to confirm that you ({email}) are the owner
+of the {username} account on Gratipay. Sound familiar? Follow this link
+to finish connecting your email:
+
+{link}
+
+""",
+)
+
+
+def add_email(self, email):
+    nonce = str(uuid.uuid4())
+    ctime = utcnow()
+    db.run("""
+        INSERT INTO emails
+                    (address, nonce, ctime, participant)
+             VALUES (%s, %s, %s, %s)
+    """, (email, nonce, ctime, self.username))
+
+    username = self.username_lower
+    link = "https://gratipay.com/{username}/verify-email.html?email={email}&nonce={nonce}"
+    self.send_email(INITIAL_EMAIL,
+                    email=email,
+                    link=link.format(**locals()),
+                    username=self.username,
+                    include_unsubscribe=False)
+
+
+participants = db.all("""
+    UPDATE participants p
+       SET email = (e.email, false)
+      FROM (
+               SELECT DISTINCT ON (participant)
+                      participant, email
+                 FROM elsewhere
+                WHERE email IS NOT NULL AND email <> ''
+             ORDER BY participant, platform = 'github' DESC
+           ) e
+     WHERE e.participant = p.username
+       AND p.email IS NULL
+       AND NOT p.is_closed
+       AND p.is_suspicious IS NOT true
+       AND p.claimed_time IS NOT NULL;
+
+    SELECT p.*::participants
+      FROM participants p
+     WHERE email IS NOT NULL
+       AND NOT is_closed
+       AND is_suspicious IS NOT true
+       AND claimed_time IS NOT NULL;
+""")
+total = len(participants)
+for i, p in enumerate(participants, 1):
+    print('sending email to %s (%i/%i)' % (p.username, i, total))
+    add_email(p, p.email.address)

From c8c71e270c15fbffaadfcd355589a97cd9e588ee Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Tue, 18 Nov 2014 16:27:59 +0100
Subject: [PATCH 047/107] limit the number of email addresses

---
 gratipay/exceptions.py         |  3 +++
 gratipay/models/participant.py | 10 +++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
index adf56212ed..063a4b2f3a 100644
--- a/gratipay/exceptions.py
+++ b/gratipay/exceptions.py
@@ -42,6 +42,9 @@ class CannotRemovePrimaryEmail(ProblemChangingEmail):
 class EmailNotVerified(ProblemChangingEmail):
     msg = "The email address '{}' is not verified."
 
+class TooManyEmailAddresses(ProblemChangingEmail):
+    msg = "You've reached the maximum number of email addresses we allow."
+
 
 class ProblemChangingNumber(Exception):
     def __str__(self):
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index e01d14af06..f10ead431a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -35,6 +35,7 @@
     EmailAlreadyTaken,
     CannotRemovePrimaryEmail,
     EmailNotVerified,
+    TooManyEmailAddresses,
 )
 
 from gratipay.models import add_event
@@ -566,6 +567,9 @@ def add_email(self, email):
         if email == self.email_address:
             return 0
 
+        if len(self.get_emails('verified is null')) > 9:
+            raise TooManyEmailAddresses(email)
+
         nonce = str(uuid.uuid4())
         ctime = utcnow()
         try:
@@ -647,12 +651,12 @@ def get_email(self, email):
                AND address=%s
         """, (self.username, email))
 
-    def get_emails(self):
+    def get_emails(self, condition='true'):
         return self.db.all("""
             SELECT *
               FROM emails
-             WHERE participant=%s
-        """, (self.username,))
+             WHERE participant=%s AND {0}
+        """.format(condition), (self.username,))
 
     def remove_email(self, address):
         if address == self.email_address:

From 12453f14e7398df2d5818dd77ea6b90b65322a79 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Tue, 18 Nov 2014 16:57:32 +0100
Subject: [PATCH 048/107] remove leftover test fixture

---
 tests/py/fixtures/TestEmailJson.yml | 28 ----------------------------
 1 file changed, 28 deletions(-)
 delete mode 100644 tests/py/fixtures/TestEmailJson.yml

diff --git a/tests/py/fixtures/TestEmailJson.yml b/tests/py/fixtures/TestEmailJson.yml
deleted file mode 100644
index 7fb2d27356..0000000000
--- a/tests/py/fixtures/TestEmailJson.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-interactions:
-- request:
-    body: '{"async": false, "message": {"from_name": "Gratipay", "text": "\nWelcome
-      to Gratipay! Verify your email address:\n\nhttp:///alice/verify-email.html?nonce=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\n",
-      "from_email": "support@gratipay.com", "to": [{"email": "alice@gratipay.com",
-      "name": "alice"}], "html": "\nWelcome to Gratipay!\n<br><br>\n<a href=\"http:///alice/verify-email.html?nonce=e6f85c8c-5ea8-4803-b620-2f6ed3e79657\">Verify
-      your email address</a>.\n", "subject": "Welcome to Gratipay!"}, "send_at": null,
-      "key": "Phh_Lm3RdPT5blqOPY4dVQ", "ip_pool": null}'
-    headers: {}
-    method: POST
-    uri: https://mandrillapp.com:443/api/1.0/messages/send.json
-  response:
-    body:
-      string: !!binary |
-        H4sIAAAAAAAAAwzKQQrCMBBG4bvMugiaZGy78h4iZZr+KZE0lWS6EPHuzfLjveePsElMNJKk6PFY
-        i2j8yPfi9406qip61FYrsjZPcWng4Y5gzC24xdvAboCxjq+We8OQfm5jwRtepwKpe6YxHyn9XycA
-        AAD//wMAm9FJfW4AAAA=
-    headers:
-      access-control-allow-credentials: ['false']
-      access-control-allow-headers: [Content-Type]
-      access-control-allow-methods: ['POST, GET, OPTIONS']
-      access-control-allow-origin: ['*']
-      content-encoding: [gzip]
-      content-type: [application/json; charset=utf-8]
-      transfer-encoding: [chunked]
-      vary: [Accept-Encoding]
-    status: {code: 200, message: OK}
-version: 1

From c36a91898168832e0130b00242a35e22d0fea731 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 20 Nov 2014 11:29:51 +0100
Subject: [PATCH 049/107] remove email_address_with_confirmation

---
 gratipay/models/email_address_with_confirmation.py | 6 ------
 gratipay/wireup.py                                 | 2 --
 2 files changed, 8 deletions(-)
 delete mode 100644 gratipay/models/email_address_with_confirmation.py

diff --git a/gratipay/models/email_address_with_confirmation.py b/gratipay/models/email_address_with_confirmation.py
deleted file mode 100644
index 9996e87e6a..0000000000
--- a/gratipay/models/email_address_with_confirmation.py
+++ /dev/null
@@ -1,6 +0,0 @@
-from postgres.orm import Model
-
-
-class EmailAddressWithConfirmation(Model):
-
-    typname = "email_address_with_confirmation"
diff --git a/gratipay/wireup.py b/gratipay/wireup.py
index a8f2c630db..458eaaab05 100644
--- a/gratipay/wireup.py
+++ b/gratipay/wireup.py
@@ -29,7 +29,6 @@
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.models.community import Community
 from gratipay.models.participant import Participant
-from gratipay.models.email_address_with_confirmation import EmailAddressWithConfirmation
 from gratipay.models import GratipayDB
 from gratipay.utils import COUNTRIES, COUNTRIES_MAP
 from gratipay.utils.cache_static import asset_etag
@@ -48,7 +47,6 @@ def db(env):
     db.register_model(Community)
     db.register_model(AccountElsewhere)
     db.register_model(Participant)
-    db.register_model(EmailAddressWithConfirmation)
     gratipay.billing.payday.Payday.db = db
 
     return db

From 0b357193f52d833b33094a311e8444dd1b762e43 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 20 Nov 2014 18:09:39 +0100
Subject: [PATCH 050/107] notify users who don't have a verified email address

---
 templates/base.html                  | 13 ++++++++++++-
 www/%username/account/index.html.spt |  2 +-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/templates/base.html b/templates/base.html
index e3026a6edb..50be746324 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -142,8 +142,9 @@ <h1>{{ title }}</h1>
 
     {% endblock %}
 
-    {% if not user.ANON and not request.line.uri.startswith('/credit-card.html') %}
+    {% if not user.ANON %}
     <script>
+        {% if not request.line.uri.startswith('/credit-card.html') %}
         {% if user.participant.last_bill_result %}
         Gratipay.notification(
             ["span", "{{ _('Your credit card has failed!') }} ",
@@ -157,6 +158,16 @@ <h1>{{ title }}</h1>
             ], "error"
         );
         {% endif %}
+        {% endif %}
+        {% if not user.participant.email_address and not request.line.uri.path.raw.endswith('/account/') %}
+        {% if not user.participant.get_emails() %}
+        Gratipay.notification(
+            ["span", "{{ _('Your account does not have an associated email address.') }} ",
+                ['a', {'href': '/{{ user.participant.username }}/account/#emails'}, "{{ _('Add an email address') }}"]
+            ], "notice", -1
+        );
+        {% endif %}
+        {% endif %}
     </script>
     {% endif %}
 </body>
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 5b81cf9ed1..6f25a77344 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -145,7 +145,7 @@ emails = participant.get_emails()
             </table>
         {% endif %}
 
-        <div class="emails">
+        <div id="emails" class="emails">
             <h2>{{ _("Email Addresses (Private)") }}</h2>
             <ul>
             {% for email in emails %}

From 71be2437e5b708443ec155fe7d5102e7549055a7 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 20 Nov 2014 18:11:00 +0100
Subject: [PATCH 051/107] fix i18n in `verify-email.html.spt`

---
 www/%username/verify-email.html.spt | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index d74e4afd3d..814eada03c 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -1,9 +1,11 @@
 """Verify a participant's email
 """
-from gratipay.utils import get_participant
+from cgi import escape
+from datetime import timedelta
+
 from aspen import Response
 from aspen.utils import utcnow
-from datetime import timedelta
+from gratipay.utils import get_participant
 
 [-----------------------------------------------------------------------------]
 
@@ -17,10 +19,6 @@ result = participant.verify_email(email, nonce)
 [-----------------------------------------------------------------------------]
 {% extends "templates/base.html" %}
 
-{% block scripts %}
-
-{% endblock %}
-
 {% block heading %}
     <h1>Verify Email</h1>
 {% endblock %}
@@ -30,8 +28,8 @@ result = participant.verify_email(email, nonce)
     {% if result == 0 %}
         <h1>{{ _("Success!") }}</h1>
 
-        <p>Your email address <b>{{ participant.email_address }}</b> is now
-        connected to your Gratipay account.</p>
+        <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
+                "<b>%s</b>" % escape(email)) }}</p>
 
     {% elif result == 1  %}
         <h1>{{ _("Your verification email has expired.") }}</h1>

From 43448cada818a72b9125f5a353498250c14d98f0 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 20 Nov 2014 18:17:54 +0100
Subject: [PATCH 052/107] make the `website` object available to the DB model
 classes

---
 configure-aspen.py | 2 +-
 gratipay/wireup.py | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/configure-aspen.py b/configure-aspen.py
index e89babc903..6876070684 100644
--- a/configure-aspen.py
+++ b/configure-aspen.py
@@ -62,7 +62,7 @@ def _set_cookie(response, *args, **kw):
 env = website.env = gratipay.wireup.env()
 tell_sentry = website.tell_sentry = gratipay.wireup.make_sentry_teller(env)
 gratipay.wireup.canonical(env)
-website.db = gratipay.wireup.db(env)
+website.db = gratipay.wireup.db(website, env)
 website.mailer = gratipay.wireup.mail(env)
 gratipay.wireup.billing(env)
 gratipay.wireup.username_restrictions(website)
diff --git a/gratipay/wireup.py b/gratipay/wireup.py
index 458eaaab05..76d810a084 100644
--- a/gratipay/wireup.py
+++ b/gratipay/wireup.py
@@ -39,14 +39,14 @@ def canonical(env):
     gratipay.canonical_host = env.canonical_host
 
 
-def db(env):
+def db(website, env):
     dburl = env.database_url
     maxconn = env.database_maxconn
     db = GratipayDB(dburl, maxconn=maxconn)
 
-    db.register_model(Community)
-    db.register_model(AccountElsewhere)
-    db.register_model(Participant)
+    for model in (Community, AccountElsewhere, Participant):
+        db.register_model(model)
+        model.website = website
     gratipay.billing.payday.Payday.db = db
 
     return db

From fad8bf2bfb134fe0d8740843340d2ec9999b38cd Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 21 Nov 2014 14:47:00 +0100
Subject: [PATCH 053/107] split some i18n functions for reuse in
 `Participant.send_email()`

---
 configure-aspen.py     |  2 +-
 gratipay/utils/i18n.py | 24 ++++++++++++++++--------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/configure-aspen.py b/configure-aspen.py
index 6876070684..9c49d83ddf 100644
--- a/configure-aspen.py
+++ b/configure-aspen.py
@@ -158,7 +158,7 @@ def add_stuff_to_context(request):
                       , authentication.get_auth_from_request
                       , csrf.get_csrf_token_from_request
                       , add_stuff_to_context
-                      , i18n.add_helpers_to_context
+                      , i18n.set_up_i18n
 
                       , algorithm['dispatch_request_to_filesystem']
 
diff --git a/gratipay/utils/i18n.py b/gratipay/utils/i18n.py
index 4b2ed6bd6c..a7d0c5defd 100644
--- a/gratipay/utils/i18n.py
+++ b/gratipay/utils/i18n.py
@@ -38,7 +38,7 @@ def get_function_from_rule(rule):
     return eval('lambda n: ' + rule, {'__builtins__': {}})
 
 
-def get_text(request, loc, s, *a, **kw):
+def get_text(loc, s, *a, **kw):
     msg = loc.catalog.get(s)
     if msg:
         s = msg.string or s
@@ -104,10 +104,12 @@ def strip_accents(s):
     return ''.join(c for c in normalize('NFKD', s) if not combining(c))
 
 
-def get_locale_for_request(request, website):
-    accept_lang = request.headers.get("Accept-Language", "")
+def parse_accept_lang(accept_lang):
     languages = (lang.split(";", 1)[0] for lang in accept_lang.split(","))
-    languages = request.accept_langs = regularize_locales(languages)
+    return regularize_locales(languages)
+
+
+def match_lang(languages, website):
     for lang in languages:
         loc = website.locales.get(lang)
         if loc:
@@ -122,11 +124,17 @@ def format_currency_with_options(number, currency, locale='en', trailing_zeroes=
     return s
 
 
-def add_helpers_to_context(website, request):
-    context = request.context
-    loc = context['locale'] = get_locale_for_request(request, website)
+def set_up_i18n(website, request):
+    accept_lang = request.headers.get("Accept-Language", "")
+    langs = request.accept_langs = parse_accept_lang(accept_lang)
+    loc = match_lang(langs, website)
+    add_helpers_to_context(website, request.context, loc, request)
+
+
+def add_helpers_to_context(website, context, loc, request=None):
+    context['locale'] = loc
     context['decimal_symbol'] = get_decimal_symbol(locale=loc)
-    context['_'] = lambda s, *a, **kw: get_text(request, loc, s, *a, **kw)
+    context['_'] = lambda s, *a, **kw: get_text(loc, s, *a, **kw)
     context['ngettext'] = lambda *a, **kw: n_get_text(website, request, loc, *a, **kw)
     context['format_number'] = lambda *a: format_number(*a, locale=loc)
     context['format_decimal'] = lambda *a: format_decimal(*a, locale=loc)

From 645f5ceb46e0e2c74432e62d33e7d300f89404e5 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 21 Nov 2014 14:52:58 +0100
Subject: [PATCH 054/107] implement email i18n

---
 branch.py                      |  30 +--------
 branch.sql                     |   3 +-
 configure-aspen.py             |   4 +-
 emails/base.spt                |  35 +++++++++++
 emails/initial.spt             |  21 +++++++
 emails/verification.spt        |  17 ++++++
 emails/verification_notice.spt |  14 +++++
 gratipay/models/participant.py |  39 ++++++------
 gratipay/utils/emails.py       | 108 +++++----------------------------
 gratipay/wireup.py             |  16 +++--
 10 files changed, 138 insertions(+), 149 deletions(-)
 create mode 100644 emails/base.spt
 create mode 100644 emails/initial.spt
 create mode 100644 emails/verification.spt
 create mode 100644 emails/verification_notice.spt

diff --git a/branch.py b/branch.py
index 19b886f167..ded8662436 100644
--- a/branch.py
+++ b/branch.py
@@ -14,34 +14,6 @@
 gratipay.wireup.mail(env)
 
 
-INITIAL_EMAIL = dict(
-    subject="Connect to {username} on Gratipay?",
-    html="""\
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-    We're working on adding email notifications to Gratipay (formerly Gittip)
-    and we're sending this email to confirm that you (<b>{email}</b>)
-    <br>
-    are the owner of the <b><a href="https://gratipay.com/{username}">{username}</a></b>
-    account on Gratipay. Sound familiar?
-    <br>
-    <br>
-    <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
-
-</div>
-""",
-    text="""\
-
-We're working on adding email notifications to Gratipay (formerly Gittip)
-and we're sending this email to confirm that you ({email}) are the owner
-of the {username} account on Gratipay. Sound familiar? Follow this link
-to finish connecting your email:
-
-{link}
-
-""",
-)
-
-
 def add_email(self, email):
     nonce = str(uuid.uuid4())
     ctime = utcnow()
@@ -53,7 +25,7 @@ def add_email(self, email):
 
     username = self.username_lower
     link = "https://gratipay.com/{username}/verify-email.html?email={email}&nonce={nonce}"
-    self.send_email(INITIAL_EMAIL,
+    self.send_email('initial',
                     email=email,
                     link=link.format(**locals()),
                     username=self.username,
diff --git a/branch.sql b/branch.sql
index cd46156262..f78302dd89 100644
--- a/branch.sql
+++ b/branch.sql
@@ -16,5 +16,6 @@ BEGIN;
     -- The column we're going to replace it with is named `email_address`. This is only for **verified** emails.
     -- All unverified email stuff happens in the emails table and won't touch this attribute.
 
-    ALTER TABLE participants ADD COLUMN email_address text UNIQUE;
+    ALTER TABLE participants ADD COLUMN email_address text UNIQUE,
+                             ADD COLUMN email_lang text;
 END;
diff --git a/configure-aspen.py b/configure-aspen.py
index 9c49d83ddf..51efccb63e 100644
--- a/configure-aspen.py
+++ b/configure-aspen.py
@@ -62,8 +62,8 @@ def _set_cookie(response, *args, **kw):
 env = website.env = gratipay.wireup.env()
 tell_sentry = website.tell_sentry = gratipay.wireup.make_sentry_teller(env)
 gratipay.wireup.canonical(env)
-website.db = gratipay.wireup.db(website, env)
-website.mailer = gratipay.wireup.mail(env)
+gratipay.wireup.db(website, env)
+gratipay.wireup.mail(website, env)
 gratipay.wireup.billing(env)
 gratipay.wireup.username_restrictions(website)
 gratipay.wireup.nanswers(env)
diff --git a/emails/base.spt b/emails/base.spt
new file mode 100644
index 0000000000..248d65caa9
--- /dev/null
+++ b/emails/base.spt
@@ -0,0 +1,35 @@
+[---] text/html
+<div style="text-align: center; padding: 20px 0; margin: 0;">
+    <img src="https://downloads.gratipay.com/email/gratipay.png" alt="Gratipay">
+</div>
+
+$body
+
+{% if include_unsubscribe %}
+    TODO
+{% endif %}
+
+<div style="text-align: center; color: #999; padding: 21px 0 0;">
+    <div style="font: normal 14px/21px Arial, sans-serif;">
+        {{ _("Something not right? Reply to this email for help.") }}
+    </div>
+    <div style="font: normal 10px/21px Arial, sans-serif;">
+        Sent by <a href="https://gratipay.com/" style="color: #999; text-decoration: underline;">Gratipay, LLC</a> | 716 Park Road, Ambridge, PA, 15003, USA
+    </div>
+</div>
+
+[---] text/plain
+{{ _("Greetings, program!") }}
+
+$body
+
+{% if include_unsubscribe %}
+    TODO
+{% endif %}
+
+{{ _("Something not right? Reply to this email for help.") }}
+
+----
+
+Sent by Gratipay, LLC, https://gratipay.com/
+716 Park Road, Ambridge, PA, 15003, USA
diff --git a/emails/initial.spt b/emails/initial.spt
new file mode 100644
index 0000000000..e8da3ee47b
--- /dev/null
+++ b/emails/initial.spt
@@ -0,0 +1,21 @@
+{{ _("Connect to {0} on Gratipay?", username) }}
+
+[---] text/html
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
+    We're working on adding email notifications to Gratipay (formerly Gittip)
+    and we're sending this email to confirm that you (<b>{{ email|e }}</b>)
+    <br>
+    are the owner of the <b><a href="https://gratipay.com/{{ username }}">{{ username }}</a></b>
+    account on Gratipay. Sound familiar?
+    <br>
+    <br>
+    <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
+
+</div>
+[---] text/plain
+We're working on adding email notifications to Gratipay (formerly Gittip)
+and we're sending this email to confirm that you ({{ email }}) are the owner
+of the {{ username }} account on Gratipay. Sound familiar? Follow this link
+to finish connecting your email:
+
+{{ link }}
diff --git a/emails/verification.spt b/emails/verification.spt
new file mode 100644
index 0000000000..6392dfc0b6
--- /dev/null
+++ b/emails/verification.spt
@@ -0,0 +1,17 @@
+{{ _("Connect to {0} on Gratipay?", username) }}
+
+[---] text/html
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
+    {{ _("We've received a request to connect {0} to the {1} account on Gratipay. Sound familiar?",
+         '<b>%s</b><br>' % escape(email),
+         '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username)) }}
+    <br>
+    <br>
+    <a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">{{ _("Yes, proceed!") }}</a>
+</div>
+
+[---] text/plain
+{{ _("We've received a request to connect {0} to the {1} account on Gratipay. Sound familiar?", email, username) }}
+{{ _("Follow this link to finish connecting your email:") }}
+
+{{ link }}
diff --git a/emails/verification_notice.spt b/emails/verification_notice.spt
new file mode 100644
index 0000000000..ea4d947b33
--- /dev/null
+++ b/emails/verification_notice.spt
@@ -0,0 +1,14 @@
+{{ _("Email change requested on Gratipay") }}
+
+[---] text/html
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
+    {{ _("We've received a request to connect {0} to the {1} account on Gratipay.",
+         '<b>%s</b><br>' % escape(email),
+         '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username)) }}
+    <br>
+    {{ _("If this wasn't you, contact us at {0}.", "support@gratipay.com") }}
+</div>
+
+[---] text/plain
+{{ _("We've received a request to connect {0} to the {1} account on Gratipay.", email, username) }}
+{{ _("If this wasn't you, contact us at {0}.", "support@gratipay.com") }}
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index f10ead431a..436e3ea5c0 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -10,6 +10,7 @@
 """
 from __future__ import print_function, unicode_literals
 
+from cgi import escape
 from datetime import timedelta
 from decimal import Decimal, ROUND_DOWN, ROUND_HALF_EVEN
 import uuid
@@ -42,8 +43,8 @@
 from gratipay.models._mixin_team import MixinTeam
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.security.crypto import constant_time_compare
+from gratipay.utils import i18n, is_card_expiring
 from gratipay.utils.username import safely_reserve_a_username
-from gratipay.utils import emails, is_card_expiring
 
 
 ASCII_ALLOWED_IN_USERNAME = set("0123456789"
@@ -596,15 +597,13 @@ def add_email(self, email):
         host = gratipay.canonical_host
         username = self.username_lower
         link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
-        self.send_email(emails.VERIFICATION_EMAIL,
+        self.send_email('verification',
                         email=email,
                         link=link.format(**locals()),
-                        username=self.username,
                         include_unsubscribe=False)
         if self.email_address:
-            self.send_email(emails.VERIFICATION_NOTICE,
+            self.send_email('verification_notice',
                             new_email=email,
-                            username=self.username,
                             include_unsubscribe=False)
             return 2
         return 1
@@ -666,22 +665,28 @@ def remove_email(self, address):
             c.run("DELETE FROM emails WHERE participant=%s AND address=%s",
                   (self.username, address))
 
-    def send_email(self, message, email=None, **params):
-        header = emails.HEADER
-        include_unsubscribe = params.pop('include_unsubscribe', True)
-        footer = emails.FOOTER if include_unsubscribe else emails.FOOTER_NO_UNSUBSCRIBE
-        if not email:
-            email = self.email_address
-        params['email'] = email
-        message = message.copy()
+    def send_email(self, spt_name, accept_lang=None, **context):
+        context['escape'] = escape
+        context['username'] = self.username
+        context.setdefault('include_unsubscribe', True)
+        email = context.setdefault('email', self.email_address)
+        langs = i18n.parse_accept_lang(accept_lang or self.email_lang or 'en')
+        locale = i18n.match_lang(langs, self.website)
+        i18n.add_helpers_to_context(self.website, context, locale)
+        spt = self.website.emails[spt_name]
+        base_spt = self.website.emails['base']
+        def render(t):
+            b = base_spt[t].render(context)
+            return b.replace('$body', spt[t].render(context))
+        message = {}
         message['from_email'] = 'support@gratipay.com'
         message['from_name'] = 'Gratipay Support'
         message['to'] = [{'email': email, 'name': self.username}]
-        message['subject'] = message['subject'].format(**params)
-        message['html'] = header['html'] + message['html'].format(**params) + footer['html']
-        message['text'] = header['text'] + message['text'].format(**params) + footer['text']
+        message['subject'] = spt['subject'].render(context)
+        message['html'] = render('text/html')
+        message['text'] = render('text/plain')
 
-        return self.mailer.messages.send(message=message)
+        return self.website.mailer.messages.send(message=message)
 
     def update_goal(self, goal):
         typecheck(goal, (Decimal, None))
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 76d3ad0057..9ef189e8fc 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -1,100 +1,20 @@
 from __future__ import unicode_literals
 
+from aspen.resources.pagination import parse_specline, split_and_escape
+from aspen_jinja2_renderer import SimplateLoader
+from jinja2 import Environment
 
-# Header
-# ======
 
-HEADER = dict(
-    html="""\
-<div style="text-align: center; padding: 20px 0; margin: 0;">
-    <img src="https://downloads.gratipay.com/email/gratipay.png" alt="Gratipay">
-</div>
-""",
-    text="""\
-Greetings, program!
-""",
-)
+jinja_env = Environment()
 
 
-# Footer
-# ======
-
-FOOTER_NO_UNSUBSCRIBE = dict(
-    html = """\
-
-<div style="text-align: center; color: #999; padding: 21px 0 0;">
-    <div style="font: normal 14px/21px Arial, sans-serif;">
-        Something not right? Reply to this email for help.
-    </div>
-    <div style="font: normal 10px/21px Arial, sans-serif;">
-        Sent by <a href="https://gratipay.com/" style="color: #999; text-decoration: underline;">Gratipay, LLC</a> | 716 Park Road, Ambridge, PA, 15003, USA
-    </div>
-</div>
-    """,
-    text = """\
-Something not right? Reply to this email for help.
-
-----
-
-Sent by Gratipay, LLC, https://gratipay.com/
-716 Park Road, Ambridge, PA, 15003, USA
-""",
-)
-
-FOOTER = FOOTER_NO_UNSUBSCRIBE  # XXX Need to implement unsubscribe!
-
-
-# Verification
-# ============
-
-VERIFICATION_EMAIL = dict(
-    subject="Connect to {username} on Gratipay?",
-    html="""\
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-    We've received a request to connect <b>{email}</b>
-
-    <br>
-
-    to the <b><a href="https://gratipay.com/{username}">{username}</a></b>
-    account on Gratipay. Sound familiar?
-
-    <br><br>
-
-    <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
-
-</div>
-""",
-    text="""\
-
-We've received a request to connect {email} to the {username}
-account on Gratipay. Sound familiar? Follow this link to finish
-connecting your email:
-
-{link}
-
-""",
-)
-
-VERIFICATION_NOTICE = dict(
-    subject="Email change requested on Gratipay",
-    html="""\
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-    We've received a request to connect <b>{new_email}</b>
-
-    <br>
-
-    to the <b><a href="https://gratipay.com/{username}">{username}</a></b>
-    account on Gratipay. If this wasn't you, contact us at support@gratipay.com.
-
-    <br><br>
-
-
-
-</div>
-""",
-    text="""\
-
-We've received a request to connect {email} to the {username}
-account on Gratipay. If this wasn't you, contact us at support@gratipay.com
-""",
-)
\ No newline at end of file
+def compile_email_spt(fpath):
+    r = {}
+    with open(fpath) as f:
+        pages = list(split_and_escape(f.read()))
+    for i, page in enumerate(pages, 1):
+        tmpl = b'\n' * page.offset + page.content
+        content_type, renderer = parse_specline(page.header)
+        key = 'subject' if i == 1 else content_type
+        r[key] = SimplateLoader(fpath, tmpl).load(jinja_env, fpath)
+    return r
diff --git a/gratipay/wireup.py b/gratipay/wireup.py
index 76d810a084..e7a5162278 100644
--- a/gratipay/wireup.py
+++ b/gratipay/wireup.py
@@ -32,6 +32,7 @@
 from gratipay.models import GratipayDB
 from gratipay.utils import COUNTRIES, COUNTRIES_MAP
 from gratipay.utils.cache_static import asset_etag
+from gratipay.utils.emails import compile_email_spt
 from gratipay.utils.i18n import ALIASES, ALIASES_R, get_function_from_rule, strip_accents
 
 def canonical(env):
@@ -42,18 +43,21 @@ def canonical(env):
 def db(website, env):
     dburl = env.database_url
     maxconn = env.database_maxconn
-    db = GratipayDB(dburl, maxconn=maxconn)
+    db = website.db = GratipayDB(dburl, maxconn=maxconn)
 
     for model in (Community, AccountElsewhere, Participant):
         db.register_model(model)
         model.website = website
     gratipay.billing.payday.Payday.db = db
 
-    return db
-
-def mail(env):
-    mailer = Participant.mailer = mandrill.Mandrill(env.mandrill_key)
-    return mailer
+def mail(website, env):
+    website.mailer = mandrill.Mandrill(env.mandrill_key)
+    website.emails = {}
+    emails_dir = website.project_root+'/emails/'
+    i = len(emails_dir)
+    for spt in find_files(emails_dir, '*.spt'):
+        base_name = spt[i:-4]
+        website.emails[base_name] = compile_email_spt(spt)
 
 def billing(env):
     balanced.configure(env.balanced_api_secret)

From cdbbc424cd497e982f84c7f5394ff0534f81aa62 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 21 Nov 2014 14:58:20 +0100
Subject: [PATCH 055/107] move email methods under "Emails" heading instead of
 "Random Junk"

---
 gratipay/models/participant.py | 212 +++++++++++++++++----------------
 1 file changed, 108 insertions(+), 104 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 436e3ea5c0..691d644f89 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -450,110 +450,8 @@ def clear_personal_information(self, cursor):
         self.set_attributes(**r._asdict())
 
 
-    # Random Junk
-    # ===========
-
-    def get_teams(self):
-        """Return a list of teams this user is a member of.
-        """
-        return self.db.all("""
-
-            SELECT team AS name
-                 , ( SELECT count(*)
-                       FROM current_takes
-                      WHERE team=x.team
-                    ) AS nmembers
-              FROM current_takes x
-             WHERE member=%s;
-
-        """, (self.username,))
-
-    @property
-    def accepts_tips(self):
-        return (self.goal is None) or (self.goal >= 0)
-
-
-    def insert_into_communities(self, is_member, name, slug):
-        participant_id = self.id
-        self.db.run("""
-
-            INSERT INTO community_members
-                        (ctime, name, slug, participant, is_member)
-                 VALUES ( COALESCE (( SELECT ctime
-                                        FROM community_members
-                                       WHERE participant=%(participant_id)s
-                                         AND slug=%(slug)s
-                                       LIMIT 1
-                                      ), CURRENT_TIMESTAMP)
-                        , %(name)s, %(slug)s, %(participant_id)s, %(is_member)s
-                         )
-              RETURNING ( SELECT count(*) = 0
-                            FROM community_members
-                           WHERE participant=%(participant_id)s
-                         )
-                     AS first_time_community
-
-        """, locals())
-
-
-    def change_username(self, suggested):
-        """Raise Response or return None.
-
-        Usernames are limited to alphanumeric characters, plus ".,-_:@ ",
-        and can only be 32 characters long.
-
-        """
-        # TODO: reconsider allowing unicode usernames
-        suggested = suggested and suggested.strip()
-
-        if not suggested:
-            raise UsernameIsEmpty(suggested)
-
-        if len(suggested) > 32:
-            raise UsernameTooLong(suggested)
-
-        if set(suggested) - ASCII_ALLOWED_IN_USERNAME:
-            raise UsernameContainsInvalidCharacters(suggested)
-
-        lowercased = suggested.lower()
-
-        if lowercased in gratipay.RESTRICTED_USERNAMES:
-            raise UsernameIsRestricted(suggested)
-
-        if suggested != self.username:
-            try:
-                # Will raise IntegrityError if the desired username is taken.
-                with self.db.get_cursor(back_as=tuple) as c:
-                    add_event(c, 'participant', dict(id=self.id, action='set', values=dict(username=suggested)))
-                    actual = c.one( "UPDATE participants "
-                                    "SET username=%s, username_lower=%s "
-                                    "WHERE username=%s "
-                                    "RETURNING username, username_lower"
-                                   , (suggested, lowercased, self.username)
-                                   )
-            except IntegrityError:
-                raise UsernameAlreadyTaken(suggested)
-
-            assert (suggested, lowercased) == actual # sanity check
-            self.set_attributes(username=suggested, username_lower=lowercased)
-
-        return suggested
-
-    def update_avatar(self):
-        avatar_url = self.db.run("""
-            UPDATE participants p
-               SET avatar_url = (
-                       SELECT avatar_url
-                         FROM elsewhere
-                        WHERE participant = p.username
-                     ORDER BY platform = 'github' DESC,
-                              avatar_url LIKE '%%gravatar.com%%' DESC
-                        LIMIT 1
-                   )
-             WHERE p.username = %s
-         RETURNING avatar_url
-        """, (self.username,))
-        self.set_attributes(avatar_url=avatar_url)
+    # Emails
+    # ======
 
     def add_email(self, email):
         """
@@ -688,6 +586,112 @@ def render(t):
 
         return self.website.mailer.messages.send(message=message)
 
+
+    # Random Junk
+    # ===========
+
+    def get_teams(self):
+        """Return a list of teams this user is a member of.
+        """
+        return self.db.all("""
+
+            SELECT team AS name
+                 , ( SELECT count(*)
+                       FROM current_takes
+                      WHERE team=x.team
+                    ) AS nmembers
+              FROM current_takes x
+             WHERE member=%s;
+
+        """, (self.username,))
+
+    @property
+    def accepts_tips(self):
+        return (self.goal is None) or (self.goal >= 0)
+
+
+    def insert_into_communities(self, is_member, name, slug):
+        participant_id = self.id
+        self.db.run("""
+
+            INSERT INTO community_members
+                        (ctime, name, slug, participant, is_member)
+                 VALUES ( COALESCE (( SELECT ctime
+                                        FROM community_members
+                                       WHERE participant=%(participant_id)s
+                                         AND slug=%(slug)s
+                                       LIMIT 1
+                                      ), CURRENT_TIMESTAMP)
+                        , %(name)s, %(slug)s, %(participant_id)s, %(is_member)s
+                         )
+              RETURNING ( SELECT count(*) = 0
+                            FROM community_members
+                           WHERE participant=%(participant_id)s
+                         )
+                     AS first_time_community
+
+        """, locals())
+
+
+    def change_username(self, suggested):
+        """Raise Response or return None.
+
+        Usernames are limited to alphanumeric characters, plus ".,-_:@ ",
+        and can only be 32 characters long.
+
+        """
+        # TODO: reconsider allowing unicode usernames
+        suggested = suggested and suggested.strip()
+
+        if not suggested:
+            raise UsernameIsEmpty(suggested)
+
+        if len(suggested) > 32:
+            raise UsernameTooLong(suggested)
+
+        if set(suggested) - ASCII_ALLOWED_IN_USERNAME:
+            raise UsernameContainsInvalidCharacters(suggested)
+
+        lowercased = suggested.lower()
+
+        if lowercased in gratipay.RESTRICTED_USERNAMES:
+            raise UsernameIsRestricted(suggested)
+
+        if suggested != self.username:
+            try:
+                # Will raise IntegrityError if the desired username is taken.
+                with self.db.get_cursor(back_as=tuple) as c:
+                    add_event(c, 'participant', dict(id=self.id, action='set', values=dict(username=suggested)))
+                    actual = c.one( "UPDATE participants "
+                                    "SET username=%s, username_lower=%s "
+                                    "WHERE username=%s "
+                                    "RETURNING username, username_lower"
+                                   , (suggested, lowercased, self.username)
+                                   )
+            except IntegrityError:
+                raise UsernameAlreadyTaken(suggested)
+
+            assert (suggested, lowercased) == actual # sanity check
+            self.set_attributes(username=suggested, username_lower=lowercased)
+
+        return suggested
+
+    def update_avatar(self):
+        avatar_url = self.db.run("""
+            UPDATE participants p
+               SET avatar_url = (
+                       SELECT avatar_url
+                         FROM elsewhere
+                        WHERE participant = p.username
+                     ORDER BY platform = 'github' DESC,
+                              avatar_url LIKE '%%gravatar.com%%' DESC
+                        LIMIT 1
+                   )
+             WHERE p.username = %s
+         RETURNING avatar_url
+        """, (self.username,))
+        self.set_attributes(avatar_url=avatar_url)
+
     def update_goal(self, goal):
         typecheck(goal, (Decimal, None))
         with self.db.get_cursor() as c:

From 75b9910eeb49d2569c844921979fb4ddcf6e79a0 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 21 Nov 2014 16:29:02 +0100
Subject: [PATCH 056/107] set `email_lang` when adding or verifying an address
 for the first time

---
 gratipay/models/participant.py      | 7 +++++++
 www/%username/email.json.spt        | 3 +++
 www/%username/verify-email.html.spt | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 691d644f89..94f5bc4eb3 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -586,6 +586,13 @@ def render(t):
 
         return self.website.mailer.messages.send(message=message)
 
+    def set_email_lang(self, accept_lang):
+        if not accept_lang:
+            return
+        self.db.run("UPDATE participants SET email_lang=%s WHERE id=%s",
+                    (accept_lang, self.id))
+        self.set_attributes(email_lang=accept_lang)
+
 
     # Random Junk
     # ===========
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index b3acdec596..0e5622c208 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -22,6 +22,9 @@ address = request.body['address']
 if not email_re.match(address):
     raise Response(400, "Invalid email address.")
 
+if not participant.email_lang:
+    participant.set_email_lang(request.headers.get("Accept-Language"))
+
 if action in ('add-email', 'resend'):
     r = participant.add_email(address)
 elif action == 'set-primary':
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index 814eada03c..ef82debba2 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -16,6 +16,9 @@ email = qs.get('email', '')
 
 result = participant.verify_email(email, nonce)
 
+if not participant.email_lang:
+    participant.set_email_lang(request.headers.get("Accept-Language"))
+
 [-----------------------------------------------------------------------------]
 {% extends "templates/base.html" %}
 

From 0c8c43cb0ac64f4c9a49187f32c9dd57d5500759 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 21 Nov 2014 17:02:15 +0100
Subject: [PATCH 057/107] improve test coverage

---
 tests/py/test_email.py | 59 ++++++++++++++++++++++++++++--------------
 1 file changed, 39 insertions(+), 20 deletions(-)

diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index 12fd4dd7ba..ce0d2e0dc3 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -2,7 +2,7 @@
 
 import mock
 
-from gratipay.exceptions import EmailAlreadyTaken
+from gratipay.exceptions import CannotRemovePrimaryEmail, EmailAlreadyTaken, EmailNotVerified
 from gratipay.models.participant import Participant
 from gratipay.testing import Harness
 
@@ -12,11 +12,12 @@ class TestEmail(Harness):
     def setUp(self):
         self.alice = self.make_participant('alice', claimed_time='now')
 
-    @mock.patch.object(Participant, 'send_email')
-    def hit_email_spt(self, action, address, send_email, user='alice', should_fail=False):
+    @mock.patch.object(Participant.website, 'mailer')
+    def hit_email_spt(self, action, address, mailer, user='alice', should_fail=False):
         P = self.client.PxST if should_fail else self.client.POST
         data = {'action': action, 'address': address}
-        return P('/alice/email.json', data, auth_as=user)
+        headers = {'HTTP_ACCEPT_LANGUAGE': 'fr,en'}
+        return P('/alice/email.json', data, auth_as=user, **headers)
 
     def verify_email(self, email, nonce, username='alice', should_fail=False):
         url = '/%s/verify-email.html?email=%s&nonce=%s' % (username, email, nonce)
@@ -108,29 +109,47 @@ def test_nonce_is_reused_when_resending_email(self):
         nonce2 = self.alice.get_email('alice@example.com').nonce
         assert nonce1 == nonce2
 
-    @mock.patch.object(Participant, 'send_email')
-    def test_cannot_update_email_to_already_verified(self, send_email):
+    @mock.patch.object(Participant.website, 'mailer')
+    def test_cannot_update_email_to_already_verified(self, mailer):
         bob = self.make_participant('bob', claimed_time='now')
         self.alice.add_email('alice@gratipay.com')
         nonce = self.alice.get_email('alice@gratipay.com').nonce
-        self.alice.verify_email('alice@gratipay.com', nonce)
-        with self.assertRaises(EmailAlreadyTaken):
-            bob.update_email('alice@gratipay.com')
-        assert self.alice.email_address == 'alice@gratipay.com'
-
-    @mock.patch.object(Participant, 'send_email')
-    def test_can_verify_email(self, send_email):
-        email = 'alice@gratipay.com'
-        self.alice.add_email(email)
-        nonce = self.alice.get_email(email).nonce
-        r = self.alice.verify_email(email, nonce)
+        r = self.alice.verify_email('alice@gratipay.com', nonce)
         assert r == 0
-        actual = Participant.from_username('alice').email_address
-        expected = 'alice@gratipay.com'
-        assert actual == expected
+
+        with self.assertRaises(EmailAlreadyTaken):
+            bob.add_email('alice@gratipay.com')
+            nonce = bob.get_email('alice@gratipay.com').nonce
+            bob.verify_email('alice@gratipay.com', nonce)
+
+        email_alice = Participant.from_username('alice').email_address
+        assert email_alice == 'alice@gratipay.com'
 
     def test_account_page_shows_emails(self):
         self.verify_and_change_email('alice@example.com', 'alice@example.net')
         body = self.client.GET("/alice/account/", auth_as="alice").body
         assert 'alice@example.com' in body
         assert 'alice@example.net' in body
+
+    def test_set_primary(self):
+        self.verify_and_change_email('alice@example.com', 'alice@example.net')
+        self.verify_and_change_email('alice@example.net', 'alice@example.org')
+        self.hit_email_spt('set-primary', 'alice@example.com')
+
+    def test_cannot_set_primary_to_unverified(self):
+        with self.assertRaises(EmailNotVerified):
+            self.hit_email_spt('set-primary', 'alice@example.com')
+
+    def test_remove_email(self):
+        # Can remove unverified
+        self.hit_email_spt('add-email', 'alice@example.com')
+        self.hit_email_spt('remove', 'alice@example.com')
+
+        # Can remove verified
+        self.verify_and_change_email('alice@example.com', 'alice@example.net')
+        self.verify_and_change_email('alice@example.net', 'alice@example.org')
+        self.hit_email_spt('remove', 'alice@example.com')
+
+        # Cannot remove primary
+        with self.assertRaises(CannotRemovePrimaryEmail):
+            self.hit_email_spt('remove', 'alice@example.net')

From 74b573ce53d6b42231712480284c9455b134837c Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Wed, 26 Nov 2014 18:34:20 +0100
Subject: [PATCH 058/107] stop trying to attach the `website` object to model
 classes

---
 configure-aspen.py             |  6 +++---
 gratipay/models/participant.py | 10 +++++-----
 gratipay/utils/i18n.py         | 22 ++++++++++++----------
 gratipay/wireup.py             | 32 ++++++++++++++++++--------------
 tests/py/test_email.py         |  4 ++--
 5 files changed, 40 insertions(+), 34 deletions(-)

diff --git a/configure-aspen.py b/configure-aspen.py
index 51efccb63e..3bfbf2743a 100644
--- a/configure-aspen.py
+++ b/configure-aspen.py
@@ -62,12 +62,12 @@ def _set_cookie(response, *args, **kw):
 env = website.env = gratipay.wireup.env()
 tell_sentry = website.tell_sentry = gratipay.wireup.make_sentry_teller(env)
 gratipay.wireup.canonical(env)
-gratipay.wireup.db(website, env)
-gratipay.wireup.mail(website, env)
+website.db = gratipay.wireup.db(env)
+website.mailer = gratipay.wireup.mail(env, website.project_root)
 gratipay.wireup.billing(env)
 gratipay.wireup.username_restrictions(website)
 gratipay.wireup.nanswers(env)
-gratipay.wireup.load_i18n(website)
+gratipay.wireup.load_i18n(website.project_root, tell_sentry)
 gratipay.wireup.other_stuff(website, env)
 gratipay.wireup.accounts_elsewhere(website, env)
 
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 94f5bc4eb3..ececd5e3b1 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -569,10 +569,10 @@ def send_email(self, spt_name, accept_lang=None, **context):
         context.setdefault('include_unsubscribe', True)
         email = context.setdefault('email', self.email_address)
         langs = i18n.parse_accept_lang(accept_lang or self.email_lang or 'en')
-        locale = i18n.match_lang(langs, self.website)
-        i18n.add_helpers_to_context(self.website, context, locale)
-        spt = self.website.emails[spt_name]
-        base_spt = self.website.emails['base']
+        locale = i18n.match_lang(langs)
+        i18n.add_helpers_to_context(self._tell_sentry, context, locale)
+        spt = self._emails[spt_name]
+        base_spt = self._emails['base']
         def render(t):
             b = base_spt[t].render(context)
             return b.replace('$body', spt[t].render(context))
@@ -584,7 +584,7 @@ def render(t):
         message['html'] = render('text/html')
         message['text'] = render('text/plain')
 
-        return self.website.mailer.messages.send(message=message)
+        return self._mailer.messages.send(message=message)
 
     def set_email_lang(self, accept_lang):
         if not accept_lang:
diff --git a/gratipay/utils/i18n.py b/gratipay/utils/i18n.py
index a7d0c5defd..3e746dc768 100644
--- a/gratipay/utils/i18n.py
+++ b/gratipay/utils/i18n.py
@@ -19,6 +19,8 @@
 
 ALIASES = {k: v.lower() for k, v in LOCALE_ALIASES.items()}
 ALIASES_R = {v: k for k, v in ALIASES.items()}
+LOCALES = {}
+LOCALE_EN = None
 
 
 ternary_re = re.compile(r'^\(? *(.+?) *\? *(.+?) *: *(.+?) *\)?$')
@@ -49,7 +51,7 @@ def get_text(loc, s, *a, **kw):
     return s
 
 
-def n_get_text(website, request, loc, s, p, n, *a, **kw):
+def n_get_text(tell_sentry, request, loc, s, p, n, *a, **kw):
     n = n or 0
     msg = loc.catalog.get((s, p))
     s2 = None
@@ -57,7 +59,7 @@ def n_get_text(website, request, loc, s, p, n, *a, **kw):
         try:
             s2 = msg.string[loc.catalog.plural_func(n)]
         except Exception as e:
-            website.tell_sentry(e, request)
+            tell_sentry(e, request)
     if s2 is None:
         loc = 'en'
         s2 = s if n == 1 else p
@@ -84,7 +86,7 @@ def regularize_locale(loc):
 
 
 def regularize_locales(locales):
-    """Yield locale strings in the same format as they are in website.locales.
+    """Yield locale strings in the same format as they are in LOCALES.
     """
     locales = [regularize_locale(loc) for loc in locales]
     locales_set = set(locales)
@@ -109,12 +111,12 @@ def parse_accept_lang(accept_lang):
     return regularize_locales(languages)
 
 
-def match_lang(languages, website):
+def match_lang(languages):
     for lang in languages:
-        loc = website.locales.get(lang)
+        loc = LOCALES.get(lang)
         if loc:
             return loc
-    return website.locale_en
+    return LOCALE_EN
 
 
 def format_currency_with_options(number, currency, locale='en', trailing_zeroes=True):
@@ -127,15 +129,15 @@ def format_currency_with_options(number, currency, locale='en', trailing_zeroes=
 def set_up_i18n(website, request):
     accept_lang = request.headers.get("Accept-Language", "")
     langs = request.accept_langs = parse_accept_lang(accept_lang)
-    loc = match_lang(langs, website)
-    add_helpers_to_context(website, request.context, loc, request)
+    loc = match_lang(langs)
+    add_helpers_to_context(website.tell_sentry, request.context, loc, request)
 
 
-def add_helpers_to_context(website, context, loc, request=None):
+def add_helpers_to_context(tell_sentry, context, loc, request=None):
     context['locale'] = loc
     context['decimal_symbol'] = get_decimal_symbol(locale=loc)
     context['_'] = lambda s, *a, **kw: get_text(loc, s, *a, **kw)
-    context['ngettext'] = lambda *a, **kw: n_get_text(website, request, loc, *a, **kw)
+    context['ngettext'] = lambda *a, **kw: n_get_text(tell_sentry, request, loc, *a, **kw)
     context['format_number'] = lambda *a: format_number(*a, locale=loc)
     context['format_decimal'] = lambda *a: format_decimal(*a, locale=loc)
     context['format_currency'] = lambda *a, **kw: format_currency_with_options(*a, locale=loc, **kw)
diff --git a/gratipay/wireup.py b/gratipay/wireup.py
index e7a5162278..7898f04724 100644
--- a/gratipay/wireup.py
+++ b/gratipay/wireup.py
@@ -30,7 +30,7 @@
 from gratipay.models.community import Community
 from gratipay.models.participant import Participant
 from gratipay.models import GratipayDB
-from gratipay.utils import COUNTRIES, COUNTRIES_MAP
+from gratipay.utils import COUNTRIES, COUNTRIES_MAP, i18n
 from gratipay.utils.cache_static import asset_etag
 from gratipay.utils.emails import compile_email_spt
 from gratipay.utils.i18n import ALIASES, ALIASES_R, get_function_from_rule, strip_accents
@@ -40,24 +40,26 @@ def canonical(env):
     gratipay.canonical_host = env.canonical_host
 
 
-def db(website, env):
+def db(env):
     dburl = env.database_url
     maxconn = env.database_maxconn
-    db = website.db = GratipayDB(dburl, maxconn=maxconn)
+    db = GratipayDB(dburl, maxconn=maxconn)
 
     for model in (Community, AccountElsewhere, Participant):
         db.register_model(model)
-        model.website = website
     gratipay.billing.payday.Payday.db = db
 
-def mail(website, env):
-    website.mailer = mandrill.Mandrill(env.mandrill_key)
-    website.emails = {}
-    emails_dir = website.project_root+'/emails/'
+    return db
+
+def mail(env, project_root='.'):
+    Participant._mailer = mandrill.Mandrill(env.mandrill_key)
+    emails = {}
+    emails_dir = project_root+'/emails/'
     i = len(emails_dir)
     for spt in find_files(emails_dir, '*.spt'):
         base_name = spt[i:-4]
-        website.emails[base_name] = compile_email_spt(spt)
+        emails[base_name] = compile_email_spt(spt)
+    Participant._emails = emails
 
 def billing(env):
     balanced.configure(env.balanced_api_secret)
@@ -73,6 +75,7 @@ def make_sentry_teller(env):
         aspen.log_dammit("Won't log to Sentry (SENTRY_DSN is empty).")
         def noop(exception, request=None):
             pass
+        Participant._tell_sentry = noop
         return noop
 
     sentry = raven.Client(env.sentry_dsn)
@@ -152,6 +155,7 @@ def tell_sentry(exception, request=None):
         ident = sentry.get_ident(result)
         aspen.log_dammit('Exception reference: ' + ident)
 
+    Participant._tell_sentry = tell_sentry
     return tell_sentry
 
 
@@ -259,11 +263,11 @@ def clean_assets(website):
             pass
 
 
-def load_i18n(website):
+def load_i18n(project_root, tell_sentry):
     # Load the locales
     key = lambda t: strip_accents(t[1])
-    localeDir = os.path.join(website.project_root, 'i18n', 'core')
-    locales = website.locales = {}
+    localeDir = os.path.join(project_root, 'i18n', 'core')
+    locales = i18n.LOCALES
     for file in os.listdir(localeDir):
         try:
             parts = file.split(".")
@@ -281,10 +285,10 @@ def load_i18n(website):
                     l.countries_map = COUNTRIES_MAP
                     l.countries = COUNTRIES
         except Exception as e:
-            website.tell_sentry(e)
+            tell_sentry(e)
 
     # Add the default English locale
-    locale_en = website.locale_en = locales['en'] = Locale('en')
+    locale_en = i18n.LOCALE_EN = locales['en'] = Locale('en')
     locale_en.catalog = Catalog('en')
     locale_en.catalog.plural_func = lambda n: n != 1
     locale_en.countries = COUNTRIES
diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index ce0d2e0dc3..8fc1e374bb 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -12,7 +12,7 @@ class TestEmail(Harness):
     def setUp(self):
         self.alice = self.make_participant('alice', claimed_time='now')
 
-    @mock.patch.object(Participant.website, 'mailer')
+    @mock.patch.object(Participant, '_mailer')
     def hit_email_spt(self, action, address, mailer, user='alice', should_fail=False):
         P = self.client.PxST if should_fail else self.client.POST
         data = {'action': action, 'address': address}
@@ -109,7 +109,7 @@ def test_nonce_is_reused_when_resending_email(self):
         nonce2 = self.alice.get_email('alice@example.com').nonce
         assert nonce1 == nonce2
 
-    @mock.patch.object(Participant.website, 'mailer')
+    @mock.patch.object(Participant, '_mailer')
     def test_cannot_update_email_to_already_verified(self, mailer):
         bob = self.make_participant('bob', claimed_time='now')
         self.alice.add_email('alice@gratipay.com')

From 30bf01718114f949f0aa303d4dc1cb8b5c0bc29b Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Wed, 26 Nov 2014 19:46:01 +0100
Subject: [PATCH 059/107] fix branch.py

---
 branch.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/branch.py b/branch.py
index ded8662436..d9f624ad48 100644
--- a/branch.py
+++ b/branch.py
@@ -7,11 +7,21 @@
 import uuid
 
 from aspen.utils import utcnow
+from postgres.orm import Model
+
 import gratipay.wireup
 
 env = gratipay.wireup.env()
+tell_sentry = gratipay.wireup.make_sentry_teller(env)
 db = gratipay.wireup.db(env)
 gratipay.wireup.mail(env)
+gratipay.wireup.load_i18n('.', tell_sentry)
+
+
+class EmailAddressWithConfirmation(Model):
+    typname = "email_address_with_confirmation"
+
+db.register_model(EmailAddressWithConfirmation)
 
 
 def add_email(self, email):

From 21198b78402158df9a613f7a3699cd151740d9d4 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Thu, 27 Nov 2014 12:13:05 +0530
Subject: [PATCH 060/107] Fixed link in initial email

---
 emails/initial.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/emails/initial.spt b/emails/initial.spt
index e8da3ee47b..9f061f7da7 100644
--- a/emails/initial.spt
+++ b/emails/initial.spt
@@ -9,7 +9,7 @@
     account on Gratipay. Sound familiar?
     <br>
     <br>
-    <a href="{link}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
+    <a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
 
 </div>
 [---] text/plain

From 4e454d9fa8ea1b99c8a3dca06ca110650740e87d Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaul@iitrpr.ac.in>
Date: Thu, 27 Nov 2014 12:21:38 +0530
Subject: [PATCH 061/107] show new email address in verification notice, not
 old one.

---
 emails/verification_notice.spt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/emails/verification_notice.spt b/emails/verification_notice.spt
index ea4d947b33..a762dcdd0d 100644
--- a/emails/verification_notice.spt
+++ b/emails/verification_notice.spt
@@ -3,12 +3,12 @@
 [---] text/html
 <div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
     {{ _("We've received a request to connect {0} to the {1} account on Gratipay.",
-         '<b>%s</b><br>' % escape(email),
+         '<b>%s</b><br>' % escape(new_email),
          '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username)) }}
     <br>
     {{ _("If this wasn't you, contact us at {0}.", "support@gratipay.com") }}
 </div>
 
 [---] text/plain
-{{ _("We've received a request to connect {0} to the {1} account on Gratipay.", email, username) }}
+{{ _("We've received a request to connect {0} to the {1} account on Gratipay.", new_email, username) }}
 {{ _("If this wasn't you, contact us at {0}.", "support@gratipay.com") }}

From ee3c871c5737c76e3261fb733d2829ad7795058a Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Tue, 2 Dec 2014 17:31:22 +0100
Subject: [PATCH 062/107] remove i18n TODOs, see #2977

---
 gratipay/exceptions.py | 2 --
 js/gratipay/profile.js | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
index 063a4b2f3a..17195e332e 100644
--- a/gratipay/exceptions.py
+++ b/gratipay/exceptions.py
@@ -1,7 +1,5 @@
 """
 This module contains exceptions shared across application code.
-
-TODO i18n of error messages
 """
 
 from __future__ import print_function, unicode_literals
diff --git a/js/gratipay/profile.js b/js/gratipay/profile.js
index 6a2d258cdb..a73ab36152 100644
--- a/js/gratipay/profile.js
+++ b/js/gratipay/profile.js
@@ -201,10 +201,10 @@ Gratipay.profile.init = function() {
                 $('.toggle-bitcoin').show();
                 $('.bitcoin').toggle();
                 if (d.bitcoin_address === '') {
-                    $('.toggle-bitcoin').text('+ Add');  // TODO i18n
+                    $('.toggle-bitcoin').text('+ Add');
                     $('.bitcoin .address').attr('href', '');
                 } else {
-                    $('.toggle-bitcoin').text('Edit');  // TODO i18n
+                    $('.toggle-bitcoin').text('Edit');
                     $('.bitcoin .address').attr('href', 'https://blockchain.info/address/'+d.bitcoin_address);
                 }
                 $this.css('opacity', 1);

From c4d91c834c5f6cb85ca87314cebb907d852d7f6d Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Wed, 3 Dec 2014 15:02:51 +0100
Subject: [PATCH 063/107] don't use emails from elsewhere in `branch.py`

---
 branch.py | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/branch.py b/branch.py
index d9f624ad48..0e03a340d3 100644
--- a/branch.py
+++ b/branch.py
@@ -1,6 +1,6 @@
 """
 This is a one-off script to populate the new `emails` table using the addresses
-we have in `participants` and `elsewhere`.
+we have in `participants`.
 """
 from __future__ import division, print_function, unicode_literals
 
@@ -43,21 +43,6 @@ def add_email(self, email):
 
 
 participants = db.all("""
-    UPDATE participants p
-       SET email = (e.email, false)
-      FROM (
-               SELECT DISTINCT ON (participant)
-                      participant, email
-                 FROM elsewhere
-                WHERE email IS NOT NULL AND email <> ''
-             ORDER BY participant, platform = 'github' DESC
-           ) e
-     WHERE e.participant = p.username
-       AND p.email IS NULL
-       AND NOT p.is_closed
-       AND p.is_suspicious IS NOT true
-       AND p.claimed_time IS NOT NULL;
-
     SELECT p.*::participants
       FROM participants p
      WHERE email IS NOT NULL

From 8538edcc6d299503c6cccf01ae893729dbdef144 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Wed, 3 Dec 2014 16:31:07 +0100
Subject: [PATCH 064/107] fix the schema of the new `emails` table

---
 branch.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/branch.sql b/branch.sql
index f78302dd89..230446d481 100644
--- a/branch.sql
+++ b/branch.sql
@@ -6,7 +6,7 @@ BEGIN;
     , nonce                             text
     , ctime                             timestamp with time zone    NOT NULL DEFAULT CURRENT_TIMESTAMP
     , mtime                             timestamp with time zone
-    , participant                       text                        NOT NULL REFERENCES participants
+    , participant                       text                        NOT NULL REFERENCES participants ON UPDATE CASCADE ON DELETE RESTRICT
     , UNIQUE (address, verified) -- A verified email address can't be linked to multiple participants.
     , UNIQUE (participant, address)
      );

From 827459795086e2813e12bf2bd9fcecda98d9dd99 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 4 Dec 2014 14:12:23 +0100
Subject: [PATCH 065/107] list the email addresses in the order they were added

---
 gratipay/models/participant.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index ececd5e3b1..b753385dd5 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -553,6 +553,7 @@ def get_emails(self, condition='true'):
             SELECT *
               FROM emails
              WHERE participant=%s AND {0}
+          ORDER BY id
         """.format(condition), (self.username,))
 
     def remove_email(self, address):

From 3aa0e3636cb2d9f5ae66cebc626985b79326133b Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 4 Dec 2014 14:48:35 +0100
Subject: [PATCH 066/107] fix email events

---
 branch.sql                     |  6 ++++++
 gratipay/models/participant.py | 14 ++++++++------
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/branch.sql b/branch.sql
index 230446d481..1b61e6f059 100644
--- a/branch.sql
+++ b/branch.sql
@@ -18,4 +18,10 @@ BEGIN;
 
     ALTER TABLE participants ADD COLUMN email_address text UNIQUE,
                              ADD COLUMN email_lang text;
+
+    UPDATE events
+       SET payload = replace(replace(payload::text, '"set"', '"add"'), '"current_email"', '"email"')::json
+     WHERE payload->>'action' = 'set'
+       AND (payload->'values'->'current_email') IS NOT NULL;
+
 END;
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index b753385dd5..61f3488d19 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -473,7 +473,7 @@ def add_email(self, email):
         ctime = utcnow()
         try:
             with self.db.get_cursor() as c:
-                add_event(c, 'participant', dict(id=self.id, action='set', values=dict(current_email=email)))
+                add_event(c, 'participant', dict(id=self.id, action='add', values=dict(email=email)))
                 c.run("""
                     INSERT INTO emails
                                 (address, nonce, ctime, participant)
@@ -510,11 +510,13 @@ def update_email(self, email):
         if not getattr(self.get_email(email), 'verified', False):
             raise EmailNotVerified(email)
         username = self.username
-        self.db.run("""
-            UPDATE participants
-               SET email_address=%(email)s
-             WHERE username=%(username)s
-        """, locals())
+        with self.db.get_cursor() as c:
+            add_event(c, 'participant', dict(id=self.id, action='set', values=dict(primary_email=email)))
+            c.run("""
+                UPDATE participants
+                   SET email_address=%(email)s
+                 WHERE username=%(username)s
+            """, locals())
         self.set_attributes(email_address=email)
 
     def verify_email(self, email, nonce):

From 11ace502c67ed92f97fd332ad28da0dd936e90eb Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 4 Dec 2014 16:57:21 +0100
Subject: [PATCH 067/107] allow to hit enter when entering an email address

---
 js/gratipay/account.js               | 17 +++++++++++------
 www/%username/account/index.html.spt |  6 ++++--
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index f9bcb5c635..1318bef640 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -121,13 +121,14 @@ Gratipay.account.init = function() {
 
     // Wire up email addresses list.
     // =============================
-    $('.emails button').prop('disabled', false);
-    $('.emails button').on('click', function() {
+    function post_email(e) {
+        e.preventDefault();
         var $this = $(this);
         var action = this.className;
+        var $inputs = $('.emails button, .emails input');
         var address = $this.parent().data('email') || $('input.add-email').val();
 
-        $this.prop('disabled', true);
+        $inputs.prop('disabled', true);
 
         $.ajax({
             url: '../email.json',
@@ -135,8 +136,9 @@ Gratipay.account.init = function() {
             data: {action: action, address: address},
             dataType: 'json',
             success: function (data) {
-                $this.prop('disabled', false);
+                $inputs.prop('disabled', false);
                 if (action == 'add-email') {
+                    $('input.add-email').val('');
                     window.location.reload();
                 } else if (action == 'set-primary') {
                     $('.emails li').removeClass('primary');
@@ -148,12 +150,15 @@ Gratipay.account.init = function() {
                 }
             },
             error: function (e) {
-                $this.prop('disabled', false);
+                $inputs.prop('disabled', false);
                 error_message = JSON.parse(e.responseText).error_message_long;
                 Gratipay.notification(error_message || "Failure", 'error');
             },
         });
-    });
+    }
+    $('.emails button, .emails input').prop('disabled', false);
+    $('.emails button[class]').on('click', post_email);
+    $('form.add-email').on('submit', post_email);
 
 
     // Wire up close knob.
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 6f25a77344..6f52108e3c 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -161,8 +161,10 @@ emails = participant.get_emails()
                 </li>
             {% endfor %}
             </ul>
-            <input class="add-email" name="email" type="email" placeholder="sam@example.net" />
-            <button class="add-email">{{ _("Add email address") }}</button>
+            <form class="add-email">
+                <input class="add-email" name="email" type="email" placeholder="sam@example.net" />
+                <button type="submit">{{ _("Add email address") }}</button>
+            </form>
         </div>
 
 

From d7fe2e0d44c6cd7e540b0a7d89d8b9bdcade96e6 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Thu, 4 Dec 2014 17:47:50 +0100
Subject: [PATCH 068/107] raise `EmailAlreadyTaken` early if an email address
 is already verified

---
 gratipay/models/participant.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 61f3488d19..2fcc2108ca 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -462,9 +462,18 @@ def add_email(self, email):
             Returns the number of emails sent.
         """
 
-        # If the email is already verified we have nothing to do.
-        if email == self.email_address:
-            return 0
+        # Check that this address isn't already verified
+        owner = self.db.one("""
+            SELECT participant
+              FROM emails
+             WHERE address = %(email)s
+               AND verified IS true
+        """, locals())
+        if owner:
+            if owner == self.id:
+                return 0
+            else:
+                raise EmailAlreadyTaken(email)
 
         if len(self.get_emails('verified is null')) > 9:
             raise TooManyEmailAddresses(email)

From ed30791d01055abc62ac5fe044075b9f09703c10 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Fri, 5 Dec 2014 13:22:18 -0500
Subject: [PATCH 069/107] Tweak "already linked" error message

---
 gratipay/exceptions.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
index 17195e332e..27bbff14a6 100644
--- a/gratipay/exceptions.py
+++ b/gratipay/exceptions.py
@@ -32,7 +32,7 @@ def __init__(self, *args):
         Response.__init__(self, 400, self.msg.format(*args))
 
 class EmailAlreadyTaken(ProblemChangingEmail):
-    msg = "An account with the email '{}' already exists"
+    msg = "{} is already linked to a different Gratipay account."
 
 class CannotRemovePrimaryEmail(ProblemChangingEmail):
     msg = "You cannot remove your primary email address."

From 6290606ea0e49213b1feaf1cdb5567b5b72c1a03 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Fri, 5 Dec 2014 13:24:15 -0500
Subject: [PATCH 070/107] Standardize on "connect"

---
 gratipay/exceptions.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gratipay/exceptions.py b/gratipay/exceptions.py
index 27bbff14a6..94f2c6ff16 100644
--- a/gratipay/exceptions.py
+++ b/gratipay/exceptions.py
@@ -32,7 +32,7 @@ def __init__(self, *args):
         Response.__init__(self, 400, self.msg.format(*args))
 
 class EmailAlreadyTaken(ProblemChangingEmail):
-    msg = "{} is already linked to a different Gratipay account."
+    msg = "{} is already connected to a different Gratipay account."
 
 class CannotRemovePrimaryEmail(ProblemChangingEmail):
     msg = "You cannot remove your primary email address."

From eab4f8197423737be43cd735b4376bf22ed03de9 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 5 Dec 2014 20:20:48 +0100
Subject: [PATCH 071/107] failing test for email addresses deletion when
 closing account

---
 tests/py/test_close.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/py/test_close.py b/tests/py/test_close.py
index b3a80bfc6f..2e7585ec54 100644
--- a/tests/py/test_close.py
+++ b/tests/py/test_close.py
@@ -4,7 +4,9 @@
 from decimal import Decimal as D
 
 import balanced
+import mock
 import pytest
+
 from gratipay.billing.payday import Payday
 from gratipay.exceptions import NoBalancedCustomerHref, NotWhitelisted
 from gratipay.models.community import Community
@@ -274,7 +276,8 @@ def test_ctr_clears_multiple_tips_receiving(self):
 
     # cpi - clear_personal_information
 
-    def test_cpi_clears_personal_information(self):
+    @mock.patch.object(Participant, '_mailer')
+    def test_cpi_clears_personal_information(self, mailer):
         alice = self.make_participant( 'alice'
                                      , statement='not forgetting to be awesome!'
                                      , goal=100
@@ -292,6 +295,7 @@ def test_cpi_clears_personal_information(self):
                                      , npatrons=21
                                       )
         assert Participant.from_username('alice').number == 'plural' # sanity check
+        alice.add_email('alice@example.net')
 
         with self.db.get_cursor() as cursor:
             alice.clear_personal_information(cursor)
@@ -311,6 +315,7 @@ def test_cpi_clears_personal_information(self):
         assert alice.npatrons == new_alice.npatrons == 0
         assert alice.session_token == new_alice.session_token == None
         assert alice.session_expires.year == new_alice.session_expires.year == date.today().year
+        assert not alice.get_emails()
 
     def test_cpi_clears_communities(self):
         alice = self.make_participant('alice')

From f65199c6762dbc2a9c2bd0048c10a01c9ef2c48c Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 5 Dec 2014 20:30:02 +0100
Subject: [PATCH 072/107] delete all email addresses when closing account

---
 gratipay/models/participant.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 2fcc2108ca..e9d8ab5be0 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -428,6 +428,8 @@ def clear_personal_information(self, cursor):
                    AND is_member IS true
             );
 
+            DELETE FROM emails WHERE participant = %(username)s;
+
             UPDATE participants
                SET statement=''
                  , goal=NULL

From 7ae40951feb5d93f2cd7dd392bb2e49abd759e78 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 5 Dec 2014 21:24:26 +0100
Subject: [PATCH 073/107] failing test for the merging of email addresses

---
 tests/py/test_participant.py | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/tests/py/test_participant.py b/tests/py/test_participant.py
index 9f7bb530cd..00782ca14c 100644
--- a/tests/py/test_participant.py
+++ b/tests/py/test_participant.py
@@ -4,6 +4,7 @@
 from decimal import Decimal
 import random
 
+import mock
 import pytest
 
 from aspen.utils import utcnow
@@ -202,6 +203,30 @@ def test_idempotent(self):
         alice.take_over(bob_github, have_confirmation=True)
         self.db.self_check()
 
+    @mock.patch.object(Participant, '_mailer')
+    def test_email_addresses_merging(self, mailer):
+        alice = self.make_participant('alice')
+        alice.add_email('alice@example.com')
+        alice.add_email('alice@example.net')
+        alice.add_email('alice@example.org')
+        alice.verify_email('alice@example.org', alice.get_email('alice@example.org').nonce)
+        bob_github = self.make_elsewhere('github', 2, 'bob')
+        bob = bob_github.opt_in('bob')[0].participant
+        bob.add_email('alice@example.com')
+        bob.verify_email('alice@example.com', bob.get_email('alice@example.com').nonce)
+        bob.add_email('alice@example.net')
+        bob.add_email('bob@example.net')
+        alice.take_over(bob_github, have_confirmation=True)
+
+        alice_emails = {e.address: e for e in alice.get_emails()}
+        assert len(alice_emails) == 4
+        assert alice_emails['alice@example.com'].verified
+        assert alice_emails['alice@example.org'].verified
+        assert not alice_emails['alice@example.net'].verified
+        assert not alice_emails['bob@example.net'].verified
+
+        assert not Participant.from_id(bob.id).get_emails()
+
 
 class TestParticipant(Harness):
     def setUp(self):

From f1610f352866208875bd95074ae4f9740f3fec1b Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 5 Dec 2014 21:40:32 +0100
Subject: [PATCH 074/107] merge email addresses in `take_over`

---
 gratipay/models/participant.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index e9d8ab5be0..facaa11ca4 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -1338,6 +1338,24 @@ def take_over(self, account, have_confirmation=False):
 
         """
 
+        MERGE_EMAIL_ADDRESSES = """
+
+            WITH emails_to_keep AS (
+                     SELECT DISTINCT ON (address) id
+                       FROM emails
+                      WHERE participant IN (%(dead)s, %(live)s)
+                   ORDER BY address, mtime, ctime DESC
+                 )
+            DELETE FROM emails
+             WHERE participant IN (%(dead)s, %(live)s)
+               AND id NOT IN (SELECT id FROM emails_to_keep);
+
+            UPDATE emails
+               SET participant = %(live)s
+             WHERE participant = %(dead)s;
+
+        """
+
         new_balance = None
 
         with self.db.get_cursor() as cursor:
@@ -1464,6 +1482,11 @@ def take_over(self, account, have_confirmation=False):
                 other.set_attributes(balance=archive_balance)
                 new_balance = cursor.one(TRANSFER_BALANCE_2, args)
 
+                # Take over email addresses.
+                # ==========================
+
+                cursor.run(MERGE_EMAIL_ADDRESSES, dict(live=x, dead=y))
+
                 # Disconnect any remaining elsewhere account.
                 # ===========================================
 

From a8dec4484969f73b82c0523eaa2181833e0093a6 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 5 Dec 2014 23:43:24 +0100
Subject: [PATCH 075/107] strip email messages

---
 gratipay/models/participant.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index facaa11ca4..1a60551236 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -588,8 +588,8 @@ def send_email(self, spt_name, accept_lang=None, **context):
         spt = self._emails[spt_name]
         base_spt = self._emails['base']
         def render(t):
-            b = base_spt[t].render(context)
-            return b.replace('$body', spt[t].render(context))
+            b = base_spt[t].render(context).strip()
+            return b.replace('$body', spt[t].render(context).strip())
         message = {}
         message['from_email'] = 'support@gratipay.com'
         message['from_name'] = 'Gratipay Support'

From 2bc84bd947b1b2094239acf799ca17bc151b641f Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 5 Dec 2014 23:51:43 +0100
Subject: [PATCH 076/107] fix condition

---
 gratipay/models/participant.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 1a60551236..105f09c71d 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -472,7 +472,7 @@ def add_email(self, email):
                AND verified IS true
         """, locals())
         if owner:
-            if owner == self.id:
+            if owner == self.username:
                 return 0
             else:
                 raise EmailAlreadyTaken(email)

From f07a1db88f6f683dfcca96bb902a95be1aeb805c Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Fri, 5 Dec 2014 16:15:56 -0500
Subject: [PATCH 077/107] Revise content for verification messages

---
 emails/base.spt                |  2 ++
 emails/initial.spt             | 26 ++++++++++++--------------
 emails/verification.spt        | 18 +++++++++---------
 emails/verification_notice.spt | 19 +++++++++----------
 4 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/emails/base.spt b/emails/base.spt
index 248d65caa9..4f28619fbb 100644
--- a/emails/base.spt
+++ b/emails/base.spt
@@ -3,7 +3,9 @@
     <img src="https://downloads.gratipay.com/email/gratipay.png" alt="Gratipay">
 </div>
 
+<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333; padding: 0 20%;">
 $body
+</div>
 
 {% if include_unsubscribe %}
     TODO
diff --git a/emails/initial.spt b/emails/initial.spt
index 9f061f7da7..de3f226762 100644
--- a/emails/initial.spt
+++ b/emails/initial.spt
@@ -1,21 +1,19 @@
 {{ _("Connect to {0} on Gratipay?", username) }}
 
 [---] text/html
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-    We're working on adding email notifications to Gratipay (formerly Gittip)
-    and we're sending this email to confirm that you (<b>{{ email|e }}</b>)
-    <br>
-    are the owner of the <b><a href="https://gratipay.com/{{ username }}">{{ username }}</a></b>
-    account on Gratipay. Sound familiar?
-    <br>
-    <br>
-    <a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
+We're adding email notifications to Gratipay (formerly Gittip) and we're
+sending this email to confirm that you (<b>{{ email|e }}</b>)
+<br>
+are the owner of the <b><a href="https://gratipay.com/{{ username }}">{{ username }}</a></b>
+account on Gratipay. Sound familiar?
+<br>
+<br>
+<a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
 
-</div>
 [---] text/plain
-We're working on adding email notifications to Gratipay (formerly Gittip)
-and we're sending this email to confirm that you ({{ email }}) are the owner
-of the {{ username }} account on Gratipay. Sound familiar? Follow this link
-to finish connecting your email:
+We're adding email notifications to Gratipay (formerly Gittip) and we're
+sending this email to confirm that you ({{ email }}) are the owner of the {{
+username }} account on Gratipay. Sound familiar? Follow this link to finish
+connecting your email:
 
 {{ link }}
diff --git a/emails/verification.spt b/emails/verification.spt
index 6392dfc0b6..e8c4e7bc0c 100644
--- a/emails/verification.spt
+++ b/emails/verification.spt
@@ -1,17 +1,17 @@
 {{ _("Connect to {0} on Gratipay?", username) }}
 
 [---] text/html
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-    {{ _("We've received a request to connect {0} to the {1} account on Gratipay. Sound familiar?",
-         '<b>%s</b><br>' % escape(email),
-         '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username)) }}
-    <br>
-    <br>
-    <a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">{{ _("Yes, proceed!") }}</a>
-</div>
+{{ _("We've received a request to connect {0} to the {1} account on Gratipay. Sound familiar?",
+     '<b>%s</b>' % escape(email),
+     '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username)) }}
+<br>
+<br>
+<a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">{{ _("Yes, proceed!") }}</a>
 
 [---] text/plain
-{{ _("We've received a request to connect {0} to the {1} account on Gratipay. Sound familiar?", email, username) }}
+{{ _("We've received a request to connect {0} to the {1} account on Gratipay. Sound familiar?",
+     email, username) }}
+
 {{ _("Follow this link to finish connecting your email:") }}
 
 {{ link }}
diff --git a/emails/verification_notice.spt b/emails/verification_notice.spt
index a762dcdd0d..e02aad51f8 100644
--- a/emails/verification_notice.spt
+++ b/emails/verification_notice.spt
@@ -1,14 +1,13 @@
-{{ _("Email change requested on Gratipay") }}
+{{ _("Connecting {0} to {1} on Gratipay.", new_email, username) }}
 
 [---] text/html
-<div style="text-align: center; font: normal 14px/21px Arial, sans-serif; color: #333;">
-    {{ _("We've received a request to connect {0} to the {1} account on Gratipay.",
-         '<b>%s</b><br>' % escape(new_email),
-         '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username)) }}
-    <br>
-    {{ _("If this wasn't you, contact us at {0}.", "support@gratipay.com") }}
-</div>
+{{ _("We are connecting {0} to the {1} account on Gratipay. This is a notification "
+     "sent to {2} because that is the primary email address we have on file.",
+     '<b>%s</b>' % escape(new_email),
+     '<b><a href="https://gratipay.com/{0}">{0}</a></b>'.format(username),
+     '<b>%s</b>' % escape(email)) }}
 
 [---] text/plain
-{{ _("We've received a request to connect {0} to the {1} account on Gratipay.", new_email, username) }}
-{{ _("If this wasn't you, contact us at {0}.", "support@gratipay.com") }}
+{{ _("We are connecting {0} to the {1} account on Gratipay. This is a notification "
+     "sent to {2} because that is the primary email address we have on file.",
+     new_email, username, email) }}

From 468239fc1af2cb64679c71dd7eabda90b90b9f74 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Fri, 5 Dec 2014 22:16:35 -0500
Subject: [PATCH 078/107] Trim up whitespace in text/plain emails

We want TODOs in GitHub anyway, not in code.
---
 emails/base.spt | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/emails/base.spt b/emails/base.spt
index 4f28619fbb..dc0eea04a9 100644
--- a/emails/base.spt
+++ b/emails/base.spt
@@ -7,10 +7,6 @@
 $body
 </div>
 
-{% if include_unsubscribe %}
-    TODO
-{% endif %}
-
 <div style="text-align: center; color: #999; padding: 21px 0 0;">
     <div style="font: normal 14px/21px Arial, sans-serif;">
         {{ _("Something not right? Reply to this email for help.") }}
@@ -25,10 +21,6 @@ $body
 
 $body
 
-{% if include_unsubscribe %}
-    TODO
-{% endif %}
-
 {{ _("Something not right? Reply to this email for help.") }}
 
 ----

From a969f77d3f216603ca4bd80e08053065568285ea Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Sat, 6 Dec 2014 11:23:39 +0100
Subject: [PATCH 079/107] don't change the primary email when verifying a
 secondary address

---
 gratipay/models/participant.py | 3 ++-
 tests/py/test_email.py         | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 105f09c71d..56e2f0db94 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -546,7 +546,8 @@ def verify_email(self, email, nonce):
                     """, (self.username, email))
                 except IntegrityError:
                     raise EmailAlreadyTaken(email)
-                self.update_email(email)
+                if not self.email_address:
+                    self.update_email(email)
                 return 0  # Verified
             else:
                 return 1  # Expired
diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index 8fc1e374bb..b2cebd00fb 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -98,7 +98,7 @@ def test_verify_email_after_update(self):
         self.verify_and_change_email('alice@example.com', 'alice@example.net')
         nonce = self.alice.get_email('alice@example.net').nonce
         self.verify_email('alice@example.net', nonce)
-        expected = 'alice@example.net'
+        expected = 'alice@example.com'
         actual = Participant.from_username('alice').email_address
         assert expected == actual
 
@@ -148,8 +148,8 @@ def test_remove_email(self):
         # Can remove verified
         self.verify_and_change_email('alice@example.com', 'alice@example.net')
         self.verify_and_change_email('alice@example.net', 'alice@example.org')
-        self.hit_email_spt('remove', 'alice@example.com')
+        self.hit_email_spt('remove', 'alice@example.net')
 
         # Cannot remove primary
         with self.assertRaises(CannotRemovePrimaryEmail):
-            self.hit_email_spt('remove', 'alice@example.net')
+            self.hit_email_spt('remove', 'alice@example.com')

From 2e60c4c806b88fe15df6d94ee346fb1914352766 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 11:52:26 -0500
Subject: [PATCH 080/107] Update branch.py to build link from env

I want to test this locally, with links back to localhost.
---
 branch.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/branch.py b/branch.py
index 0e03a340d3..73bf62e285 100644
--- a/branch.py
+++ b/branch.py
@@ -6,6 +6,7 @@
 
 import uuid
 
+import gratipay
 from aspen.utils import utcnow
 from postgres.orm import Model
 
@@ -16,6 +17,7 @@
 db = gratipay.wireup.db(env)
 gratipay.wireup.mail(env)
 gratipay.wireup.load_i18n('.', tell_sentry)
+gratipay.wireup.canonical(env)
 
 
 class EmailAddressWithConfirmation(Model):
@@ -33,8 +35,10 @@ def add_email(self, email):
              VALUES (%s, %s, %s, %s)
     """, (email, nonce, ctime, self.username))
 
+    scheme = gratipay.canonical_scheme
+    host = gratipay.canonical_host
     username = self.username_lower
-    link = "https://gratipay.com/{username}/verify-email.html?email={email}&nonce={nonce}"
+    link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
     self.send_email('initial',
                     email=email,
                     link=link.format(**locals()),

From 365e1827068484e6a20f24795d2ac7229398528d Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 11:58:09 -0500
Subject: [PATCH 081/107] Revise initial verification message

---
 emails/initial.spt | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/emails/initial.spt b/emails/initial.spt
index de3f226762..f5cb5ca152 100644
--- a/emails/initial.spt
+++ b/emails/initial.spt
@@ -1,19 +1,21 @@
 {{ _("Connect to {0} on Gratipay?", username) }}
 
 [---] text/html
-We're adding email notifications to Gratipay (formerly Gittip) and we're
-sending this email to confirm that you (<b>{{ email|e }}</b>)
-<br>
-are the owner of the <b><a href="https://gratipay.com/{{ username }}">{{ username }}</a></b>
-account on Gratipay. Sound familiar?
+A while ago we received a request to connect <b>{{ escape(email) }}</b> to the
+{{ '<b><a href="https://gratipay.com/{0}/">{0}</a></b>'.format(username) }}
+account on Gratipay (<a
+href="https://medium.com/gratipay-blog/gratitude-gratipay-ef24ad5e41f9">formerly</a>
+Gittip). Now we're finally sending a verification email! Ring a bell?
 <br>
 <br>
 <a href="{{ link }}" style="color: #fff; text-decoration:none; display:inline-block; padding: 0 15px; background: #396; font: normal 14px/40px Arial, sans-serif; white-space: nowrap; border-radius: 3px">Yes, proceed!</a>
 
 [---] text/plain
-We're adding email notifications to Gratipay (formerly Gittip) and we're
-sending this email to confirm that you ({{ email }}) are the owner of the {{
-username }} account on Gratipay. Sound familiar? Follow this link to finish
-connecting your email:
+
+A while ago we received a request to connect `{{ email }}`
+to the `{{ username }}` account on Gratipay (formerly Gittip).
+Now we're finally sending a verification email!
+
+Ring a bell? Follow this link to finish connecting your email:
 
 {{ link }}

From 3110318339fe6bc751cc056026c472e21af63c4e Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 12:07:54 -0500
Subject: [PATCH 082/107] Link straight to emails, at least

Better if we redirected straight here with a notification, but
notifications are too crusty right now.
---
 www/%username/verify-email.html.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
index ef82debba2..5956aee096 100644
--- a/www/%username/verify-email.html.spt
+++ b/www/%username/verify-email.html.spt
@@ -39,7 +39,7 @@ if not participant.email_lang:
     {% elif result == 2 %}
         <h1>{{ _("Failed to verify your email address") }}</h1>
     {% endif %}
-    <a href="/{{ participant.username }}/">{{ _("Go to your profile") }}.</a>
+    <a href="/{{ participant.username }}/account/#emails">{{ _("View your email addresses") }}.</a>
     </div>
 {% endblock %}
 

From 6793871111fdd56ffdd8cf793eee731fc8455f59 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 8 Dec 2014 18:16:21 +0100
Subject: [PATCH 083/107] more explicit success/error messages

---
 js/gratipay/account.js       |  7 ++++---
 www/%username/email.json.spt | 13 +++++++++----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 1318bef640..4c339e9efe 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -135,7 +135,7 @@ Gratipay.account.init = function() {
             type: 'POST',
             data: {action: action, address: address},
             dataType: 'json',
-            success: function (data) {
+            success: function (msg) {
                 $inputs.prop('disabled', false);
                 if (action == 'add-email') {
                     $('input.add-email').val('');
@@ -145,8 +145,9 @@ Gratipay.account.init = function() {
                     $this.parent().addClass('primary');
                 } else if (action == 'remove') {
                     $this.parent().fadeOut();
-                } else {
-                    Gratipay.notification("Success" , 'success');
+                }
+                if (msg) {
+                    Gratipay.notification(msg, 'success');
                 }
             },
             error: function (e) {
diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 0e5622c208..05917d879e 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -20,19 +20,24 @@ address = request.body['address']
 # This checks for exactly one @ and at least one . after @
 # The real validation will happen when we send the email
 if not email_re.match(address):
-    raise Response(400, "Invalid email address.")
+    raise Response(400, _("Invalid email address."))
 
 if not participant.email_lang:
     participant.set_email_lang(request.headers.get("Accept-Language"))
 
+msg = None
 if action in ('add-email', 'resend'):
     r = participant.add_email(address)
+    if r:
+        msg = _("A verification email has been sent to {0}", address)
+    else:
+        raise Response(400, _("You have already added and verified this address."))
 elif action == 'set-primary':
-    r = participant.update_email(address)
+    participant.update_email(address)
 elif action == 'remove':
-    r = participant.remove_email(address)
+    participant.remove_email(address)
 else:
     raise Response(400, 'unknown action "%s"' % action)
 
 [---] application/json via json_dump
-r
+msg

From 3afd3521abd6a472f4ae8cb22736a361b71da74e Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 12:28:32 -0500
Subject: [PATCH 084/107] Add a period to a notification

---
 www/%username/email.json.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/%username/email.json.spt b/www/%username/email.json.spt
index 05917d879e..817e7c78dc 100644
--- a/www/%username/email.json.spt
+++ b/www/%username/email.json.spt
@@ -29,7 +29,7 @@ msg = None
 if action in ('add-email', 'resend'):
     r = participant.add_email(address)
     if r:
-        msg = _("A verification email has been sent to {0}", address)
+        msg = _("A verification email has been sent to {0}.", address)
     else:
         raise Response(400, _("You have already added and verified this address."))
 elif action == 'set-primary':

From 5286d5264839e71c20b2c0db4543ca2734b34267 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 8 Dec 2014 18:44:53 +0100
Subject: [PATCH 085/107] fix quoting issue

---
 branch.py                      | 4 +++-
 gratipay/models/participant.py | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/branch.py b/branch.py
index 73bf62e285..100a5ff34b 100644
--- a/branch.py
+++ b/branch.py
@@ -4,6 +4,7 @@
 """
 from __future__ import division, print_function, unicode_literals
 
+from urllib import quote
 import uuid
 
 import gratipay
@@ -38,7 +39,8 @@ def add_email(self, email):
     scheme = gratipay.canonical_scheme
     host = gratipay.canonical_host
     username = self.username_lower
-    link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
+    quoted_email = quote(email)
+    link = "{scheme}://{host}/{username}/verify-email.html?email={quoted_email}&nonce={nonce}"
     self.send_email('initial',
                     email=email,
                     link=link.format(**locals()),
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 56e2f0db94..ba0371fce2 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -13,6 +13,7 @@
 from cgi import escape
 from datetime import timedelta
 from decimal import Decimal, ROUND_DOWN, ROUND_HALF_EVEN
+from urllib import quote
 import uuid
 
 import aspen
@@ -505,7 +506,8 @@ def add_email(self, email):
         scheme = gratipay.canonical_scheme
         host = gratipay.canonical_host
         username = self.username_lower
-        link = "{scheme}://{host}/{username}/verify-email.html?email={email}&nonce={nonce}"
+        quoted_email = quote(email)
+        link = "{scheme}://{host}/{username}/verify-email.html?email={quoted_email}&nonce={nonce}"
         self.send_email('verification',
                         email=email,
                         link=link.format(**locals()),

From aea5b43f3a372ac619a7eec43d2d738463b5dd81 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 8 Dec 2014 18:47:14 +0100
Subject: [PATCH 086/107] fix test

---
 tests/py/test_email.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index b2cebd00fb..0d7972e71f 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -33,7 +33,7 @@ def verify_and_change_email(self, old_email, new_email, username='alice'):
     def test_participant_can_add_email(self):
         response = self.hit_email_spt('add-email', 'alice@gratipay.com')
         actual = json.loads(response.body)
-        assert actual == 1
+        assert actual
 
     def test_post_anon_returns_403(self):
         response = self.hit_email_spt('add-email', 'anon@gratipay.com', user=None, should_fail=True)

From 8a1a80a497ffdf287bb356c377e8f5bb462eee9c Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 13:43:39 -0500
Subject: [PATCH 087/107] Post to Mandrill before recording change locally

This way if an API call fails and branch.py crashes, we'll be able to
recover a little easier.
---
 branch.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/branch.py b/branch.py
index 100a5ff34b..2dea6ef5c4 100644
--- a/branch.py
+++ b/branch.py
@@ -30,11 +30,6 @@ class EmailAddressWithConfirmation(Model):
 def add_email(self, email):
     nonce = str(uuid.uuid4())
     ctime = utcnow()
-    db.run("""
-        INSERT INTO emails
-                    (address, nonce, ctime, participant)
-             VALUES (%s, %s, %s, %s)
-    """, (email, nonce, ctime, self.username))
 
     scheme = gratipay.canonical_scheme
     host = gratipay.canonical_host
@@ -47,6 +42,12 @@ def add_email(self, email):
                     username=self.username,
                     include_unsubscribe=False)
 
+    db.run("""
+        INSERT INTO emails
+                    (address, nonce, ctime, participant)
+             VALUES (%s, %s, %s, %s)
+    """, (email, nonce, ctime, self.username))
+
 
 participants = db.all("""
     SELECT p.*::participants

From 793182498bc45467340762d2b056546898baa467 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Mon, 8 Dec 2014 19:46:58 +0100
Subject: [PATCH 088/107] wait before reloading the page so the user can read
 the notification

---
 js/gratipay/account.js | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 4c339e9efe..3cbed11847 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -136,19 +136,20 @@ Gratipay.account.init = function() {
             data: {action: action, address: address},
             dataType: 'json',
             success: function (msg) {
-                $inputs.prop('disabled', false);
+                if (msg) {
+                    Gratipay.notification(msg, 'success');
+                }
                 if (action == 'add-email') {
                     $('input.add-email').val('');
-                    window.location.reload();
+                    setTimeout(function(){ window.location.reload(); }, 3000);
+                    return;
                 } else if (action == 'set-primary') {
                     $('.emails li').removeClass('primary');
                     $this.parent().addClass('primary');
                 } else if (action == 'remove') {
                     $this.parent().fadeOut();
                 }
-                if (msg) {
-                    Gratipay.notification(msg, 'success');
-                }
+                $inputs.prop('disabled', false);
             },
             error: function (e) {
                 $inputs.prop('disabled', false);

From 3a69204dcf528aa9396f9f4986dee210facc1a27 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 15:33:32 -0500
Subject: [PATCH 089/107] Add "Resend" button to Verify page

I moved the verification page (along with the email.json endpoint) into
a subdirectory parallel to account/, so that the relative path in the js
where we ajax post works correctly in both contexts: verify page and
account page.
---
 branch.py                                     |  2 +-
 gratipay/models/participant.py                | 12 +--
 gratipay/utils/emails.py                      |  4 +-
 js/gratipay/account.js                        | 82 ++++++++++---------
 tests/py/test_email.py                        |  4 +-
 www/%username/account/index.html.spt          |  3 +-
 .../modify.json.spt}                          |  0
 www/%username/emails/verify.html.spt          | 62 ++++++++++++++
 www/%username/verify-email.html.spt           | 45 ----------
 9 files changed, 118 insertions(+), 96 deletions(-)
 rename www/%username/{email.json.spt => emails/modify.json.spt} (100%)
 create mode 100644 www/%username/emails/verify.html.spt
 delete mode 100644 www/%username/verify-email.html.spt

diff --git a/branch.py b/branch.py
index 2dea6ef5c4..e5c57e46ef 100644
--- a/branch.py
+++ b/branch.py
@@ -35,7 +35,7 @@ def add_email(self, email):
     host = gratipay.canonical_host
     username = self.username_lower
     quoted_email = quote(email)
-    link = "{scheme}://{host}/{username}/verify-email.html?email={quoted_email}&nonce={nonce}"
+    link = "{scheme}://{host}/{username}/emails/verify.html?email={quoted_email}&nonce={nonce}"
     self.send_email('initial',
                     email=email,
                     link=link.format(**locals()),
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index ba0371fce2..31c08c01c4 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -44,7 +44,7 @@
 from gratipay.models._mixin_team import MixinTeam
 from gratipay.models.account_elsewhere import AccountElsewhere
 from gratipay.security.crypto import constant_time_compare
-from gratipay.utils import i18n, is_card_expiring
+from gratipay.utils import i18n, is_card_expiring, emails
 from gratipay.utils.username import safely_reserve_a_username
 
 
@@ -507,7 +507,7 @@ def add_email(self, email):
         host = gratipay.canonical_host
         username = self.username_lower
         quoted_email = quote(email)
-        link = "{scheme}://{host}/{username}/verify-email.html?email={quoted_email}&nonce={nonce}"
+        link = "{scheme}://{host}/{username}/emails/verify.html?email={quoted_email}&nonce={nonce}"
         self.send_email('verification',
                         email=email,
                         link=link.format(**locals()),
@@ -535,7 +535,7 @@ def update_email(self, email):
     def verify_email(self, email, nonce):
         r = self.get_email(email)
         if r and r.verified:
-            return 0  # Verified
+            return emails.ALREADY_VERIFIED
         if r and constant_time_compare(r.nonce, nonce):
             if (utcnow() - r.ctime) < EMAIL_HASH_TIMEOUT:
                 try:
@@ -550,11 +550,11 @@ def verify_email(self, email, nonce):
                     raise EmailAlreadyTaken(email)
                 if not self.email_address:
                     self.update_email(email)
-                return 0  # Verified
+                return emails.VERIFICATION_SUCCEEDED
             else:
-                return 1  # Expired
+                return emails.VERIFICATION_EXPIRED
         else:
-            return 2  # Failed
+            return emails.VERIFICATION_FAILED
 
     def get_email(self, email):
         return self.db.one("""
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 9ef189e8fc..637a7d9df0 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -5,8 +5,10 @@
 from jinja2 import Environment
 
 
-jinja_env = Environment()
+VERIFICATION_SUCCEEDED, ALREADY_VERIFIED, VERIFICATION_EXPIRED, VERIFICATION_FAILED = range(4)
+
 
+jinja_env = Environment()
 
 def compile_email_spt(fpath):
     r = {}
diff --git a/js/gratipay/account.js b/js/gratipay/account.js
index 3cbed11847..c0b5ea3192 100644
--- a/js/gratipay/account.js
+++ b/js/gratipay/account.js
@@ -1,5 +1,44 @@
 Gratipay.account = {};
 
+Gratipay.account.post_email = function(e) {
+    e.preventDefault();
+    var $this = $(this);
+    var action = this.className;
+    var $inputs = $('.emails button, .emails input');
+    console.log($this);
+    var address = $this.parent().data('email') || $('input.add-email').val();
+
+    $inputs.prop('disabled', true);
+
+    $.ajax({
+        url: '../emails/modify.json',
+        type: 'POST',
+        data: {action: action, address: address},
+        dataType: 'json',
+        success: function (msg) {
+            if (msg) {
+                Gratipay.notification(msg, 'success');
+            }
+            if (action == 'add-email') {
+                $('input.add-email').val('');
+                setTimeout(function(){ window.location.reload(); }, 3000);
+                return;
+            } else if (action == 'set-primary') {
+                $('.emails li').removeClass('primary');
+                $this.parent().addClass('primary');
+            } else if (action == 'remove') {
+                $this.parent().fadeOut();
+            }
+            $inputs.prop('disabled', false);
+        },
+        error: function (e) {
+            $inputs.prop('disabled', false);
+            error_message = JSON.parse(e.responseText).error_message_long;
+            Gratipay.notification(error_message || "Failure", 'error');
+        },
+    });
+};
+
 Gratipay.account.init = function() {
 
     // Wire up username knob.
@@ -119,48 +158,13 @@ Gratipay.account.init = function() {
         $.post('../api-key.json', {action: 'show'}, callback);
     });
 
+
     // Wire up email addresses list.
     // =============================
-    function post_email(e) {
-        e.preventDefault();
-        var $this = $(this);
-        var action = this.className;
-        var $inputs = $('.emails button, .emails input');
-        var address = $this.parent().data('email') || $('input.add-email').val();
-
-        $inputs.prop('disabled', true);
-
-        $.ajax({
-            url: '../email.json',
-            type: 'POST',
-            data: {action: action, address: address},
-            dataType: 'json',
-            success: function (msg) {
-                if (msg) {
-                    Gratipay.notification(msg, 'success');
-                }
-                if (action == 'add-email') {
-                    $('input.add-email').val('');
-                    setTimeout(function(){ window.location.reload(); }, 3000);
-                    return;
-                } else if (action == 'set-primary') {
-                    $('.emails li').removeClass('primary');
-                    $this.parent().addClass('primary');
-                } else if (action == 'remove') {
-                    $this.parent().fadeOut();
-                }
-                $inputs.prop('disabled', false);
-            },
-            error: function (e) {
-                $inputs.prop('disabled', false);
-                error_message = JSON.parse(e.responseText).error_message_long;
-                Gratipay.notification(error_message || "Failure", 'error');
-            },
-        });
-    }
+
     $('.emails button, .emails input').prop('disabled', false);
-    $('.emails button[class]').on('click', post_email);
-    $('form.add-email').on('submit', post_email);
+    $('.emails button[class]').on('click', Gratipay.account.post_email);
+    $('form.add-email').on('submit', Gratipay.account.post_email);
 
 
     // Wire up close knob.
diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index 0d7972e71f..d38d1c8983 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -17,10 +17,10 @@ def hit_email_spt(self, action, address, mailer, user='alice', should_fail=False
         P = self.client.PxST if should_fail else self.client.POST
         data = {'action': action, 'address': address}
         headers = {'HTTP_ACCEPT_LANGUAGE': 'fr,en'}
-        return P('/alice/email.json', data, auth_as=user, **headers)
+        return P('/alice/emails/modify.json', data, auth_as=user, **headers)
 
     def verify_email(self, email, nonce, username='alice', should_fail=False):
-        url = '/%s/verify-email.html?email=%s&nonce=%s' % (username, email, nonce)
+        url = '/%s/emails/verify.html?email=%s&nonce=%s' % (username, email, nonce)
         G = self.client.GxT if should_fail else self.client.GET
         return G(url)
 
diff --git a/www/%username/account/index.html.spt b/www/%username/account/index.html.spt
index 6f52108e3c..345887b71b 100644
--- a/www/%username/account/index.html.spt
+++ b/www/%username/account/index.html.spt
@@ -18,7 +18,6 @@ emails = participant.get_emails()
 
 {% block scripts %}
 <script>$(document).ready(Gratipay.account.init);</script>
-
 {{ super() }}
 {% endblock %}
 
@@ -156,7 +155,7 @@ emails = participant.get_emails()
                     <span class="label-primary">{{ _("Primary") }}</span>
                     <span class="label-unverified">{{ _("Unverified") }}</span>
                     <button class="remove">{{ _("Remove") }}</button>
-                    <button class="resend">{{ _("Resend Email") }}</button>
+                    <button class="resend">{{ _("Resend email") }}</button>
                     <button class="set-primary">{{ _("Set as primary") }}</button>
                 </li>
             {% endfor %}
diff --git a/www/%username/email.json.spt b/www/%username/emails/modify.json.spt
similarity index 100%
rename from www/%username/email.json.spt
rename to www/%username/emails/modify.json.spt
diff --git a/www/%username/emails/verify.html.spt b/www/%username/emails/verify.html.spt
new file mode 100644
index 0000000000..d5cc130a0c
--- /dev/null
+++ b/www/%username/emails/verify.html.spt
@@ -0,0 +1,62 @@
+"""Verify a participant's email
+"""
+from cgi import escape
+from datetime import timedelta
+
+from aspen import Response
+from aspen.utils import utcnow
+from gratipay.utils import emails, get_participant
+
+[-----------------------------------------------------------------------------]
+
+participant = get_participant(request, restrict=False)
+qs = request.line.uri.querystring
+nonce = qs.get('nonce', '')
+email = qs.get('email', '')
+
+result = participant.verify_email(email, nonce)
+
+if not participant.email_lang:
+    participant.set_email_lang(request.headers.get("Accept-Language"))
+
+[-----------------------------------------------------------------------------]
+{% extends "templates/base.html" %}
+
+{% block scripts %}
+<script>
+    $(document).ready(function() {
+        $('button.resend').on('click', Gratipay.account.post_email);
+    });
+</script>
+{{ super() }}
+{% endblock %}
+
+{% block heading %}
+    <h1>Verify Email</h1>
+{% endblock %}
+
+{% block box %}
+    <div class="as-content">
+    {% if result == emails.VERIFICATION_SUCCEEDED %}
+        <h1>{{ _("Success!") }}</h1>
+        <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
+                "<b>%s</b>" % escape(email)) }}</p>
+    {% elif result == emails.ALREADY_VERIFIED %}
+        <h1>{{ _("Already Verified") }}</h1>
+        <p>{{ _("Your email address {0} is already connected to your Gratipay account.",
+                "<b>%s</b>" % escape(email)) }}</p>
+    {% else %}
+        {% if result == emails.VERIFICATION_EXPIRED  %}
+            <h1>{{ _("Expired") }}</h1>
+            <p>{{ _("The verification code for {0} has expired.",
+                    "<b>%s</b>" % escape(email)) }}</p>
+        {% elif result == emails.VERIFICATION_FAILED %}
+            <h1>{{ _("Failure") }}</h1>
+            <p>{{ _("The verification code for {0} is bad.",
+                    "<b>%s</b>" % escape(email)) }}</p>
+        {% endif %}
+        <p data-email="{{ email|e }}"><button class="resend">{{ _("Resend verification email") }}</button></p>
+    {% endif %}
+    <a href="/{{ participant.username }}/account/#emails">{{ _("View your email addresses") }}.</a>
+    </div>
+{% endblock %}
diff --git a/www/%username/verify-email.html.spt b/www/%username/verify-email.html.spt
deleted file mode 100644
index 5956aee096..0000000000
--- a/www/%username/verify-email.html.spt
+++ /dev/null
@@ -1,45 +0,0 @@
-"""Verify a participant's email
-"""
-from cgi import escape
-from datetime import timedelta
-
-from aspen import Response
-from aspen.utils import utcnow
-from gratipay.utils import get_participant
-
-[-----------------------------------------------------------------------------]
-
-participant = get_participant(request, restrict=False)
-qs = request.line.uri.querystring
-nonce = qs.get('nonce', '')
-email = qs.get('email', '')
-
-result = participant.verify_email(email, nonce)
-
-if not participant.email_lang:
-    participant.set_email_lang(request.headers.get("Accept-Language"))
-
-[-----------------------------------------------------------------------------]
-{% extends "templates/base.html" %}
-
-{% block heading %}
-    <h1>Verify Email</h1>
-{% endblock %}
-
-{% block box %}
-    <div class="as-content">
-    {% if result == 0 %}
-        <h1>{{ _("Success!") }}</h1>
-
-        <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
-                "<b>%s</b>" % escape(email)) }}</p>
-
-    {% elif result == 1  %}
-        <h1>{{ _("Your verification email has expired.") }}</h1>
-    {% elif result == 2 %}
-        <h1>{{ _("Failed to verify your email address") }}</h1>
-    {% endif %}
-    <a href="/{{ participant.username }}/account/#emails">{{ _("View your email addresses") }}.</a>
-    </div>
-{% endblock %}
-

From 1beb434648628a2e1a7d2bbdd6f5cb5d24ed1c88 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 15:43:09 -0500
Subject: [PATCH 090/107] Reformat branch.sql for 100 chars

---
 branch.sql | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/branch.sql b/branch.sql
index 1b61e6f059..911761bfff 100644
--- a/branch.sql
+++ b/branch.sql
@@ -4,23 +4,33 @@ BEGIN;
     , address                           text                        NOT NULL
     , verified                          boolean                     DEFAULT NULL
     , nonce                             text
-    , ctime                             timestamp with time zone    NOT NULL DEFAULT CURRENT_TIMESTAMP
+    , ctime                             timestamp with time zone    NOT NULL
+                                                                      DEFAULT CURRENT_TIMESTAMP
     , mtime                             timestamp with time zone
-    , participant                       text                        NOT NULL REFERENCES participants ON UPDATE CASCADE ON DELETE RESTRICT
-    , UNIQUE (address, verified) -- A verified email address can't be linked to multiple participants.
+    , participant                       text                        NOT NULL
+                                                                      REFERENCES participants
+                                                                      ON UPDATE CASCADE
+                                                                      ON DELETE RESTRICT
+    , UNIQUE (address, verified) -- A verified email address can't be linked to multiple
+                                 -- participants.
     , UNIQUE (participant, address)
      );
 
-    -- The participants table currently has an `email` attribute of type email_address_with confirmation
-    -- This should be deleted in the future, once the emails are migrated.
-    -- The column we're going to replace it with is named `email_address`. This is only for **verified** emails.
-    -- All unverified email stuff happens in the emails table and won't touch this attribute.
+    -- The participants table currently has an `email` attribute of type
+    -- email_address_with confirmation. This should be deleted in the future,
+    -- once the emails are migrated. The column we're going to replace it with
+    -- is named `email_address`. This is only for **verified** emails. All
+    -- unverified email stuff happens in the emails table and won't touch this
+    -- attribute.
 
     ALTER TABLE participants ADD COLUMN email_address text UNIQUE,
                              ADD COLUMN email_lang text;
 
     UPDATE events
-       SET payload = replace(replace(payload::text, '"set"', '"add"'), '"current_email"', '"email"')::json
+       SET payload = replace(replace( payload::text, '"set"', '"add"')
+                                    , '"current_email"'
+                                    , '"email"'
+                                     )::json
      WHERE payload->>'action' = 'set'
        AND (payload->'values'->'current_email') IS NOT NULL;
 

From b72d4bb7a7019187b5cc041f868073127eb278d4 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 15:57:09 -0500
Subject: [PATCH 091/107] Handle the case where the qs is empty/malformed

---
 gratipay/models/participant.py       | 2 ++
 gratipay/utils/emails.py             | 7 ++++++-
 www/%username/emails/verify.html.spt | 4 ++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 31c08c01c4..88edf4706a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -533,6 +533,8 @@ def update_email(self, email):
         self.set_attributes(email_address=email)
 
     def verify_email(self, email, nonce):
+        if '' in (email, nonce):
+            return emails.MISSING_VERIFICATION
         r = self.get_email(email)
         if r and r.verified:
             return emails.ALREADY_VERIFIED
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index 637a7d9df0..c60658402c 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -5,7 +5,12 @@
 from jinja2 import Environment
 
 
-VERIFICATION_SUCCEEDED, ALREADY_VERIFIED, VERIFICATION_EXPIRED, VERIFICATION_FAILED = range(4)
+( VERIFICATION_SUCCEEDED
+, ALREADY_VERIFIED
+, VERIFICATION_EXPIRED
+, VERIFICATION_FAILED
+, MISSING_VERIFICATION
+ ) = range(5)
 
 
 jinja_env = Environment()
diff --git a/www/%username/emails/verify.html.spt b/www/%username/emails/verify.html.spt
index d5cc130a0c..4adb51e172 100644
--- a/www/%username/emails/verify.html.spt
+++ b/www/%username/emails/verify.html.spt
@@ -45,6 +45,10 @@ if not participant.email_lang:
         <h1>{{ _("Already Verified") }}</h1>
         <p>{{ _("Your email address {0} is already connected to your Gratipay account.",
                 "<b>%s</b>" % escape(email)) }}</p>
+    {% elif result == emails.MISSING_VERIFICATION %}
+        <h1>{{ _("Missing Info") }}</h1>
+        <p>{{ _("Sorry, that's a bad link. You'll need to view your email addresses "
+                "and start over.") }}</p>
     {% else %}
         {% if result == emails.VERIFICATION_EXPIRED  %}
             <h1>{{ _("Expired") }}</h1>

From f475cec811b80e5946693c97cd0e7e5961ff3a8f Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 16:33:56 -0500
Subject: [PATCH 092/107] Base64-encode the `then` parameter during auth

This ensures that the path + querystring survey transport intact across
the authentication flow.
---
 configure-aspen.py             | 4 +++-
 templates/auth.html            | 3 ++-
 www/on/%platform/associate.spt | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/configure-aspen.py b/configure-aspen.py
index 3bfbf2743a..e3d39d804e 100644
--- a/configure-aspen.py
+++ b/configure-aspen.py
@@ -1,6 +1,7 @@
 from __future__ import division
 
 from decimal import Decimal as D
+import base64
 import threading
 import time
 import traceback
@@ -55,7 +56,8 @@ def _set_cookie(response, *args, **kw):
     'len': len,
     'float': float,
     'type': type,
-    'str': str
+    'str': str,
+    'b64encode': base64.b64encode
 }
 
 
diff --git a/templates/auth.html b/templates/auth.html
index f8c7954904..8e469ec5d9 100644
--- a/templates/auth.html
+++ b/templates/auth.html
@@ -2,7 +2,8 @@
     <form action="/on/{{ platform|e }}/redirect" method="post"
           class="auth-button {{ platform|e }} {{ class|e }}">
         <input type="hidden" name="action" value="{{ action|e }}" />
-        <input type="hidden" name="then" value="{{ path.decoded|e }}" />
+        {% set then=b64encode(path.raw + ('?' + qs.raw if qs else '')).strip() %}
+        <input type="hidden" name="then" value="{{ then }}" />
         <input type="hidden" name="user_name" value="{{ user_name|e }}" />
         <input type="hidden" name="csrf_token" value="{{ csrf_token|e }}" />
         <button type="submit">{{ caller()|e }}</button>
diff --git a/www/on/%platform/associate.spt b/www/on/%platform/associate.spt
index 9c2ce889e2..e95a62e1a5 100644
--- a/www/on/%platform/associate.spt
+++ b/www/on/%platform/associate.spt
@@ -25,6 +25,7 @@ except KeyError:
 if not cookie_value:
     raise Response(400, 'Empty cookie')
 query_data, action, then, action_user_name = json.loads(b64decode(cookie_value))
+then = b64decode(then)  # double-b64encoded to avoid other encoding issue w/ qs
 
 # Finish the auth process, the returned session is ready to use
 url = canonical_scheme+'://'+canonical_host+request.line.uri.raw

From 8328a18d55dc18dc3e2e5b48ef07645cce3e5063 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 16:35:12 -0500
Subject: [PATCH 093/107] Require authentication to verify emails

---
 www/%username/emails/verify.html.spt | 61 ++++++++++++++++------------
 1 file changed, 34 insertions(+), 27 deletions(-)

diff --git a/www/%username/emails/verify.html.spt b/www/%username/emails/verify.html.spt
index 4adb51e172..f502cfc0be 100644
--- a/www/%username/emails/verify.html.spt
+++ b/www/%username/emails/verify.html.spt
@@ -10,14 +10,13 @@ from gratipay.utils import emails, get_participant
 [-----------------------------------------------------------------------------]
 
 participant = get_participant(request, restrict=False)
-qs = request.line.uri.querystring
-nonce = qs.get('nonce', '')
-email = qs.get('email', '')
+if participant == user.participant:
+    email = qs.get('email', '')
+    nonce = qs.get('nonce', '')
+    result = participant.verify_email(email, nonce)
+    if not participant.email_lang:
+        participant.set_email_lang(request.headers.get("Accept-Language"))
 
-result = participant.verify_email(email, nonce)
-
-if not participant.email_lang:
-    participant.set_email_lang(request.headers.get("Accept-Language"))
 
 [-----------------------------------------------------------------------------]
 {% extends "templates/base.html" %}
@@ -37,30 +36,38 @@ if not participant.email_lang:
 
 {% block box %}
     <div class="as-content">
-    {% if result == emails.VERIFICATION_SUCCEEDED %}
-        <h1>{{ _("Success!") }}</h1>
-        <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
-                "<b>%s</b>" % escape(email)) }}</p>
-    {% elif result == emails.ALREADY_VERIFIED %}
-        <h1>{{ _("Already Verified") }}</h1>
-        <p>{{ _("Your email address {0} is already connected to your Gratipay account.",
-                "<b>%s</b>" % escape(email)) }}</p>
-    {% elif result == emails.MISSING_VERIFICATION %}
-        <h1>{{ _("Missing Info") }}</h1>
-        <p>{{ _("Sorry, that's a bad link. You'll need to view your email addresses "
-                "and start over.") }}</p>
+    {% if user.ANON %}
+    <h1>{{ _("Please Sign In") }}</h1>
+        {% include "templates/sign-in-using.html" %}
+        and then you'll be able to verify your email.</p>
+
+        <p>Thanks! :-)</p>
     {% else %}
-        {% if result == emails.VERIFICATION_EXPIRED  %}
-            <h1>{{ _("Expired") }}</h1>
-            <p>{{ _("The verification code for {0} has expired.",
+        {% if result == emails.VERIFICATION_SUCCEEDED %}
+            <h1>{{ _("Success!") }}</h1>
+            <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
                     "<b>%s</b>" % escape(email)) }}</p>
-        {% elif result == emails.VERIFICATION_FAILED %}
-            <h1>{{ _("Failure") }}</h1>
-            <p>{{ _("The verification code for {0} is bad.",
+        {% elif result == emails.ALREADY_VERIFIED %}
+            <h1>{{ _("Already Verified") }}</h1>
+            <p>{{ _("Your email address {0} is already connected to your Gratipay account.",
                     "<b>%s</b>" % escape(email)) }}</p>
+        {% elif result == emails.MISSING_VERIFICATION %}
+            <h1>{{ _("Missing Info") }}</h1>
+            <p>{{ _("Sorry, that's a bad link. You'll need to view your email addresses "
+                    "and start over.") }}</p>
+        {% else %}
+            {% if result == emails.VERIFICATION_EXPIRED  %}
+                <h1>{{ _("Expired") }}</h1>
+                <p>{{ _("The verification code for {0} has expired.",
+                        "<b>%s</b>" % escape(email)) }}</p>
+            {% elif result == emails.VERIFICATION_FAILED %}
+                <h1>{{ _("Failure") }}</h1>
+                <p>{{ _("The verification code for {0} is bad.",
+                        "<b>%s</b>" % escape(email)) }}</p>
+            {% endif %}
+            <p data-email="{{ email|e }}"><button class="resend">{{ _("Resend verification email") }}</button></p>
         {% endif %}
-        <p data-email="{{ email|e }}"><button class="resend">{{ _("Resend verification email") }}</button></p>
+        <a href="/{{ participant.username }}/account/#emails">{{ _("View your email addresses") }}.</a>
     {% endif %}
-    <a href="/{{ participant.username }}/account/#emails">{{ _("View your email addresses") }}.</a>
     </div>
 {% endblock %}

From 7b14196557375f2314b6ab915ff232186833c90d Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Mon, 8 Dec 2014 17:09:36 -0500
Subject: [PATCH 094/107] Fix up test suite

---
 tests/py/test_email.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index d38d1c8983..400cedc4d2 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -5,6 +5,7 @@
 from gratipay.exceptions import CannotRemovePrimaryEmail, EmailAlreadyTaken, EmailNotVerified
 from gratipay.models.participant import Participant
 from gratipay.testing import Harness
+from gratipay.utils import emails
 
 
 class TestEmail(Harness):
@@ -22,7 +23,7 @@ def hit_email_spt(self, action, address, mailer, user='alice', should_fail=False
     def verify_email(self, email, nonce, username='alice', should_fail=False):
         url = '/%s/emails/verify.html?email=%s&nonce=%s' % (username, email, nonce)
         G = self.client.GxT if should_fail else self.client.GET
-        return G(url)
+        return G(url, auth_as=username)
 
     def verify_and_change_email(self, old_email, new_email, username='alice'):
         self.hit_email_spt('add-email', old_email)
@@ -49,13 +50,13 @@ def test_post_with_no_period_symbol_is_400(self):
 
     def test_verify_email_without_adding_email(self):
         response = self.verify_email('', 'sample-nonce')
-        assert 'Failed to verify' in response.body
+        assert 'Missing Info' in response.body
 
     def test_verify_email_wrong_nonce(self):
         self.hit_email_spt('add-email', 'alice@example.com')
         nonce = 'fake-nonce'
         r = self.alice.verify_email('alice@gratipay.com', nonce)
-        assert r == 2
+        assert r == emails.VERIFICATION_FAILED
         self.verify_email('alice@example.com', nonce)
         expected = None
         actual = Participant.from_username('alice').email_address
@@ -71,7 +72,7 @@ def test_verify_email_expired_nonce(self):
         """)
         nonce = self.alice.get_email(address).nonce
         r = self.alice.verify_email(address, nonce)
-        assert r == 1
+        assert r == emails.VERIFICATION_EXPIRED
         actual = Participant.from_username('alice').email_address
         assert actual == None
 
@@ -115,7 +116,7 @@ def test_cannot_update_email_to_already_verified(self, mailer):
         self.alice.add_email('alice@gratipay.com')
         nonce = self.alice.get_email('alice@gratipay.com').nonce
         r = self.alice.verify_email('alice@gratipay.com', nonce)
-        assert r == 0
+        assert r == emails.VERIFICATION_SUCCEEDED
 
         with self.assertRaises(EmailAlreadyTaken):
             bob.add_email('alice@gratipay.com')

From df5a49b344891c2dce66097e4525559b2e11bfcc Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 09:27:23 -0500
Subject: [PATCH 095/107] Harmonize VERIFICATION_ constants

---
 gratipay/models/participant.py       | 4 ++--
 gratipay/utils/emails.py             | 4 ++--
 www/%username/emails/verify.html.spt | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 88edf4706a..fbf1852f5f 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -534,10 +534,10 @@ def update_email(self, email):
 
     def verify_email(self, email, nonce):
         if '' in (email, nonce):
-            return emails.MISSING_VERIFICATION
+            return emails.VERIFICATION_MISSING
         r = self.get_email(email)
         if r and r.verified:
-            return emails.ALREADY_VERIFIED
+            return emails.VERIFICATION_REDUNDANT
         if r and constant_time_compare(r.nonce, nonce):
             if (utcnow() - r.ctime) < EMAIL_HASH_TIMEOUT:
                 try:
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index c60658402c..f78ddedbab 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -6,10 +6,10 @@
 
 
 ( VERIFICATION_SUCCEEDED
-, ALREADY_VERIFIED
+, VERIFICATION_REDUNDANT
 , VERIFICATION_EXPIRED
 , VERIFICATION_FAILED
-, MISSING_VERIFICATION
+, VERIFICATION_MISSING
  ) = range(5)
 
 
diff --git a/www/%username/emails/verify.html.spt b/www/%username/emails/verify.html.spt
index f502cfc0be..78952216e5 100644
--- a/www/%username/emails/verify.html.spt
+++ b/www/%username/emails/verify.html.spt
@@ -47,11 +47,11 @@ if participant == user.participant:
             <h1>{{ _("Success!") }}</h1>
             <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
                     "<b>%s</b>" % escape(email)) }}</p>
-        {% elif result == emails.ALREADY_VERIFIED %}
+        {% elif result == emails.VERIFICATION_REDUNDANT %}
             <h1>{{ _("Already Verified") }}</h1>
             <p>{{ _("Your email address {0} is already connected to your Gratipay account.",
                     "<b>%s</b>" % escape(email)) }}</p>
-        {% elif result == emails.MISSING_VERIFICATION %}
+        {% elif result == emails.VERIFICATION_MISSING %}
             <h1>{{ _("Missing Info") }}</h1>
             <p>{{ _("Sorry, that's a bad link. You'll need to view your email addresses "
                     "and start over.") }}</p>

From 14be73e9dfae2019d7e1b98a66be5ba066e6ef65 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 09:27:57 -0500
Subject: [PATCH 096/107] Tweak comment

---
 www/on/%platform/associate.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/on/%platform/associate.spt b/www/on/%platform/associate.spt
index e95a62e1a5..98898a4a77 100644
--- a/www/on/%platform/associate.spt
+++ b/www/on/%platform/associate.spt
@@ -25,7 +25,7 @@ except KeyError:
 if not cookie_value:
     raise Response(400, 'Empty cookie')
 query_data, action, then, action_user_name = json.loads(b64decode(cookie_value))
-then = b64decode(then)  # double-b64encoded to avoid other encoding issue w/ qs
+then = b64decode(then)  # double-b64encoded to avoid other encoding issues w/ qs
 
 # Finish the auth process, the returned session is ready to use
 url = canonical_scheme+'://'+canonical_host+request.line.uri.raw

From 87ef00ab88f6605c1768f5eaa300f6c4415e5a17 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 10:38:11 -0500
Subject: [PATCH 097/107] Give ourselves room for comments in branch.sql

---
 branch.sql | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/branch.sql b/branch.sql
index 911761bfff..70c556dcd4 100644
--- a/branch.sql
+++ b/branch.sql
@@ -1,16 +1,17 @@
 BEGIN;
     CREATE TABLE emails
-    ( id                                serial                      PRIMARY KEY
-    , address                           text                        NOT NULL
-    , verified                          boolean                     DEFAULT NULL
-    , nonce                             text
-    , ctime                             timestamp with time zone    NOT NULL
-                                                                      DEFAULT CURRENT_TIMESTAMP
-    , mtime                             timestamp with time zone
-    , participant                       text                        NOT NULL
-                                                                      REFERENCES participants
-                                                                      ON UPDATE CASCADE
-                                                                      ON DELETE RESTRICT
+    ( id            serial                      PRIMARY KEY
+    , address       text                        NOT NULL
+    , verified      boolean                     DEFAULT NULL
+    , nonce         text
+    , ctime         timestamp with time zone    NOT NULL
+                                                  DEFAULT CURRENT_TIMESTAMP
+    , mtime         timestamp with time zone
+    , participant   text                        NOT NULL
+                                                  REFERENCES participants
+                                                  ON UPDATE CASCADE
+                                                  ON DELETE RESTRICT
+
     , UNIQUE (address, verified) -- A verified email address can't be linked to multiple
                                  -- participants.
     , UNIQUE (participant, address)

From 66f8f64e223cd618015964d579bc99dd2360598c Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 10:39:02 -0500
Subject: [PATCH 098/107] Add a constraint and comment to verified

---
 branch.sql | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/branch.sql b/branch.sql
index 70c556dcd4..1fe5974c1a 100644
--- a/branch.sql
+++ b/branch.sql
@@ -3,6 +3,10 @@ BEGIN;
     ( id            serial                      PRIMARY KEY
     , address       text                        NOT NULL
     , verified      boolean                     DEFAULT NULL
+                                                  CONSTRAINT verified_cant_be_false
+                                                    -- Only use TRUE and NULL, so that the unique
+                                                    -- constraint below functions properly.
+                                                    CHECK (verified IS NOT FALSE)
     , nonce         text
     , ctime         timestamp with time zone    NOT NULL
                                                   DEFAULT CURRENT_TIMESTAMP
@@ -13,7 +17,10 @@ BEGIN;
                                                   ON DELETE RESTRICT
 
     , UNIQUE (address, verified) -- A verified email address can't be linked to multiple
-                                 -- participants.
+                                 -- participants. However, an *un*verified address *can*
+                                 -- be linked to multiple participants. We implement this
+                                 -- by using NULL instead of FALSE for the unverified
+                                 -- state, hence the check constraint on verified.
     , UNIQUE (participant, address)
      );
 

From c8d0c16a71ec32d8736ddac6c1a53f369538790a Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 11:11:10 -0500
Subject: [PATCH 099/107] Clean up check on number of emails

This gets rid of a turd in get_emails to boot.
---
 gratipay/models/participant.py |  8 ++++----
 tests/py/test_email.py         | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index fbf1852f5f..39e675c5ff 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -478,7 +478,7 @@ def add_email(self, email):
             else:
                 raise EmailAlreadyTaken(email)
 
-        if len(self.get_emails('verified is null')) > 9:
+        if len(self.get_emails()) > 9:
             raise TooManyEmailAddresses(email)
 
         nonce = str(uuid.uuid4())
@@ -566,13 +566,13 @@ def get_email(self, email):
                AND address=%s
         """, (self.username, email))
 
-    def get_emails(self, condition='true'):
+    def get_emails(self):
         return self.db.all("""
             SELECT *
               FROM emails
-             WHERE participant=%s AND {0}
+             WHERE participant=%s
           ORDER BY id
-        """.format(condition), (self.username,))
+        """, (self.username,))
 
     def remove_email(self, address):
         if address == self.email_address:
diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index 400cedc4d2..afd5f3e330 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -3,6 +3,7 @@
 import mock
 
 from gratipay.exceptions import CannotRemovePrimaryEmail, EmailAlreadyTaken, EmailNotVerified
+from gratipay.exceptions import TooManyEmailAddresses
 from gratipay.models.participant import Participant
 from gratipay.testing import Harness
 from gratipay.utils import emails
@@ -126,6 +127,21 @@ def test_cannot_update_email_to_already_verified(self, mailer):
         email_alice = Participant.from_username('alice').email_address
         assert email_alice == 'alice@gratipay.com'
 
+    @mock.patch.object(Participant, '_mailer')
+    def test_cannot_add_too_many_emails(self, mailer):
+        self.alice.add_email('alice@gratipay.com')
+        self.alice.add_email('alice@gratipay.net')
+        self.alice.add_email('alice@gratipay.org')
+        self.alice.add_email('alice@gratipay.co.uk')
+        self.alice.add_email('alice@gratipay.io')
+        self.alice.add_email('alice@gratipay.co')
+        self.alice.add_email('alice@gratipay.eu')
+        self.alice.add_email('alice@gratipay.asia')
+        self.alice.add_email('alice@gratipay.museum')
+        self.alice.add_email('alice@gratipay.py')
+        with self.assertRaises(TooManyEmailAddresses):
+            self.alice.add_email('alice@gratipay.coop')
+
     def test_account_page_shows_emails(self):
         self.verify_and_change_email('alice@example.com', 'alice@example.net')
         body = self.client.GET("/alice/account/", auth_as="alice").body

From 114b39b356dc2400b65eb39052564c9c08633ce8 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 11:19:02 -0500
Subject: [PATCH 100/107] Make room for longer field names

---
 branch.sql | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/branch.sql b/branch.sql
index 1fe5974c1a..7bbdef57cc 100644
--- a/branch.sql
+++ b/branch.sql
@@ -1,20 +1,21 @@
 BEGIN;
     CREATE TABLE emails
-    ( id            serial                      PRIMARY KEY
-    , address       text                        NOT NULL
-    , verified      boolean                     DEFAULT NULL
-                                                  CONSTRAINT verified_cant_be_false
-                                                    -- Only use TRUE and NULL, so that the unique
-                                                    -- constraint below functions properly.
-                                                    CHECK (verified IS NOT FALSE)
-    , nonce         text
-    , ctime         timestamp with time zone    NOT NULL
-                                                  DEFAULT CURRENT_TIMESTAMP
-    , mtime         timestamp with time zone
-    , participant   text                        NOT NULL
-                                                  REFERENCES participants
-                                                  ON UPDATE CASCADE
-                                                  ON DELETE RESTRICT
+    ( id                    serial                      PRIMARY KEY
+    , address               text                        NOT NULL
+    , verified              boolean                     DEFAULT NULL
+                                                          CONSTRAINT verified_cant_be_false
+                                                            -- Only use TRUE and NULL, so that the
+                                                            -- unique constraint below functions
+                                                            -- properly.
+                                                            CHECK (verified IS NOT FALSE)
+    , nonce                 text
+    , ctime                 timestamp with time zone    NOT NULL
+                                                          DEFAULT CURRENT_TIMESTAMP
+    , mtime                 timestamp with time zone
+    , participant           text                        NOT NULL
+                                                          REFERENCES participants
+                                                          ON UPDATE CASCADE
+                                                          ON DELETE RESTRICT
 
     , UNIQUE (address, verified) -- A verified email address can't be linked to multiple
                                  -- participants. However, an *un*verified address *can*

From f01be44622f997e2601d4fac14b0f6428670d5ed Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 11:23:43 -0500
Subject: [PATCH 101/107] Rename {c,m}time to verification_{start,end}

---
 branch.sql                     |  4 ++--
 gratipay/models/participant.py | 16 ++++++++--------
 tests/py/test_email.py         |  2 +-
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/branch.sql b/branch.sql
index 7bbdef57cc..29c5803ab6 100644
--- a/branch.sql
+++ b/branch.sql
@@ -9,9 +9,9 @@ BEGIN;
                                                             -- properly.
                                                             CHECK (verified IS NOT FALSE)
     , nonce                 text
-    , ctime                 timestamp with time zone    NOT NULL
+    , verification_start    timestamp with time zone    NOT NULL
                                                           DEFAULT CURRENT_TIMESTAMP
-    , mtime                 timestamp with time zone
+    , verification_end      timestamp with time zone
     , participant           text                        NOT NULL
                                                           REFERENCES participants
                                                           ON UPDATE CASCADE
diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 39e675c5ff..0af42bfbf1 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -482,24 +482,24 @@ def add_email(self, email):
             raise TooManyEmailAddresses(email)
 
         nonce = str(uuid.uuid4())
-        ctime = utcnow()
+        verification_start = utcnow()
         try:
             with self.db.get_cursor() as c:
                 add_event(c, 'participant', dict(id=self.id, action='add', values=dict(email=email)))
                 c.run("""
                     INSERT INTO emails
-                                (address, nonce, ctime, participant)
+                                (address, nonce, verification_start, participant)
                          VALUES (%s, %s, %s, %s)
-                """, (email, nonce, ctime, self.username))
+                """, (email, nonce, verification_start, self.username))
         except IntegrityError:
             nonce = self.db.one("""
                 UPDATE emails
-                   SET ctime=%s
+                   SET verification_start=%s
                  WHERE participant=%s
                    AND address=%s
                    AND verified IS NULL
              RETURNING nonce
-            """, (ctime, self.username, email))
+            """, (verification_start, self.username, email))
             if not nonce:
                 return self.add_email(email)
 
@@ -539,11 +539,11 @@ def verify_email(self, email, nonce):
         if r and r.verified:
             return emails.VERIFICATION_REDUNDANT
         if r and constant_time_compare(r.nonce, nonce):
-            if (utcnow() - r.ctime) < EMAIL_HASH_TIMEOUT:
+            if (utcnow() - r.verification_start) < EMAIL_HASH_TIMEOUT:
                 try:
                     self.db.run("""
                         UPDATE emails
-                           SET verified=true, mtime=now(), nonce=NULL
+                           SET verified=true, verification_end=now(), nonce=NULL
                          WHERE participant=%s
                            AND address=%s
                            AND verified IS NULL
@@ -1349,7 +1349,7 @@ def take_over(self, account, have_confirmation=False):
                      SELECT DISTINCT ON (address) id
                        FROM emails
                       WHERE participant IN (%(dead)s, %(live)s)
-                   ORDER BY address, mtime, ctime DESC
+                   ORDER BY address, verification_end, verification_start DESC
                  )
             DELETE FROM emails
              WHERE participant IN (%(dead)s, %(live)s)
diff --git a/tests/py/test_email.py b/tests/py/test_email.py
index afd5f3e330..83e09cffaa 100644
--- a/tests/py/test_email.py
+++ b/tests/py/test_email.py
@@ -68,7 +68,7 @@ def test_verify_email_expired_nonce(self):
         self.hit_email_spt('add-email', address)
         self.db.run("""
             UPDATE emails
-               SET ctime = (now() - INTERVAL '25 hours')
+               SET verification_start = (now() - INTERVAL '25 hours')
              WHERE participant = 'alice'
         """)
         nonce = self.alice.get_email(address).nonce

From a79ed2f2396c5bd8065b3255cbc4b93d8e54e532 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 11:59:03 -0500
Subject: [PATCH 102/107] Flatten verify_email

---
 gratipay/models/participant.py | 40 +++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 0af42bfbf1..d45aa55928 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -536,27 +536,27 @@ def verify_email(self, email, nonce):
         if '' in (email, nonce):
             return emails.VERIFICATION_MISSING
         r = self.get_email(email)
-        if r and r.verified:
-            return emails.VERIFICATION_REDUNDANT
-        if r and constant_time_compare(r.nonce, nonce):
-            if (utcnow() - r.verification_start) < EMAIL_HASH_TIMEOUT:
-                try:
-                    self.db.run("""
-                        UPDATE emails
-                           SET verified=true, verification_end=now(), nonce=NULL
-                         WHERE participant=%s
-                           AND address=%s
-                           AND verified IS NULL
-                    """, (self.username, email))
-                except IntegrityError:
-                    raise EmailAlreadyTaken(email)
-                if not self.email_address:
-                    self.update_email(email)
-                return emails.VERIFICATION_SUCCEEDED
-            else:
-                return emails.VERIFICATION_EXPIRED
-        else:
+        if r is None or not constant_time_compare(r.nonce, nonce):
             return emails.VERIFICATION_FAILED
+        if (utcnow() - r.verification_start) > EMAIL_HASH_TIMEOUT:
+            return emails.VERIFICATION_EXPIRED
+        if r.verified:
+            return emails.VERIFICATION_REDUNDANT
+
+        try:
+            self.db.run("""
+                UPDATE emails
+                   SET verified=true, verification_end=now(), nonce=NULL
+                 WHERE participant=%s
+                   AND address=%s
+                   AND verified IS NULL
+            """, (self.username, email))
+        except IntegrityError:
+            raise EmailAlreadyTaken(email)
+        if not self.email_address:
+            self.update_email(email)
+
+        return emails.VERIFICATION_SUCCEEDED
 
     def get_email(self, email):
         return self.db.one("""

From 42bbdc02a367aa11f9a9fd196ef7d929dff1538f Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 12:01:51 -0500
Subject: [PATCH 103/107] Handle case where auth'd is on wrong verify.html

---
 www/%username/emails/verify.html.spt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/www/%username/emails/verify.html.spt b/www/%username/emails/verify.html.spt
index 78952216e5..6ef954417e 100644
--- a/www/%username/emails/verify.html.spt
+++ b/www/%username/emails/verify.html.spt
@@ -16,6 +16,8 @@ if participant == user.participant:
     result = participant.verify_email(email, nonce)
     if not participant.email_lang:
         participant.set_email_lang(request.headers.get("Accept-Language"))
+elif not user.ANON:
+    raise Response(403)
 
 
 [-----------------------------------------------------------------------------]

From dd61c5b16ddeaa15ffdd59d573ae6590b4753176 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 12:19:14 -0500
Subject: [PATCH 104/107] Use same pattern for "already taken" error

---
 gratipay/models/participant.py       |  5 ++---
 gratipay/utils/emails.py             | 11 ++++++-----
 www/%username/emails/verify.html.spt |  4 ++++
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index d45aa55928..8024686d77 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -542,7 +542,6 @@ def verify_email(self, email, nonce):
             return emails.VERIFICATION_EXPIRED
         if r.verified:
             return emails.VERIFICATION_REDUNDANT
-
         try:
             self.db.run("""
                 UPDATE emails
@@ -552,10 +551,10 @@ def verify_email(self, email, nonce):
                    AND verified IS NULL
             """, (self.username, email))
         except IntegrityError:
-            raise EmailAlreadyTaken(email)
+            return emails.VERIFICATION_STYMIED
+
         if not self.email_address:
             self.update_email(email)
-
         return emails.VERIFICATION_SUCCEEDED
 
     def get_email(self, email):
diff --git a/gratipay/utils/emails.py b/gratipay/utils/emails.py
index f78ddedbab..e932accb16 100644
--- a/gratipay/utils/emails.py
+++ b/gratipay/utils/emails.py
@@ -5,12 +5,13 @@
 from jinja2 import Environment
 
 
-( VERIFICATION_SUCCEEDED
-, VERIFICATION_REDUNDANT
-, VERIFICATION_EXPIRED
+( VERIFICATION_MISSING
 , VERIFICATION_FAILED
-, VERIFICATION_MISSING
- ) = range(5)
+, VERIFICATION_EXPIRED
+, VERIFICATION_REDUNDANT
+, VERIFICATION_STYMIED
+, VERIFICATION_SUCCEEDED
+ ) = range(6)
 
 
 jinja_env = Environment()
diff --git a/www/%username/emails/verify.html.spt b/www/%username/emails/verify.html.spt
index 6ef954417e..12cb168161 100644
--- a/www/%username/emails/verify.html.spt
+++ b/www/%username/emails/verify.html.spt
@@ -49,6 +49,10 @@ elif not user.ANON:
             <h1>{{ _("Success!") }}</h1>
             <p>{{ _("Your email address {0} is now connected to your Gratipay account.",
                     "<b>%s</b>" % escape(email)) }}</p>
+        {% elif result == emails.VERIFICATION_STYMIED %}
+            <h1>{{ _("Address Taken") }}</h1>
+            <p>{{ _("The email address {0} is already connected to a different Gratipay account.",
+                    "<b>%s</b>" % escape(email)) }}</p>
         {% elif result == emails.VERIFICATION_REDUNDANT %}
             <h1>{{ _("Already Verified") }}</h1>
             <p>{{ _("Your email address {0} is already connected to your Gratipay account.",

From ee65f9a58ed26257fb0cd4eeb3bf7694044809d5 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Tue, 9 Dec 2014 12:30:26 -0500
Subject: [PATCH 105/107] Note MANDRILL_KEY in README

---
 README.md | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 48c73776e8..0e27e5c07e 100644
--- a/README.md
+++ b/README.md
@@ -223,16 +223,23 @@ The site works without this, except for the credit card page. Visit the
 [Balanced Documentation](https://www.balancedpayments.com/docs) if you want to
 know more about creating marketplaces.
 
-The GITHUB_* keys are for a gratipay-dev application in the Gratipay organization
-on Github. It points back to localhost:8537, which is where Gratipay will be
-running if you start it locally with `make run`. Similarly with the TWITTER_*
-keys, but there they required us to spell it `127.0.0.1`.
+The `GITHUB_*` keys are for a gratipay-dev application in the Gratipay
+organization on Github. It points back to localhost:8537, which is where
+Gratipay will be running if you start it locally with `make run`. Similarly
+with the `TWITTER_*` keys, but there they required us to spell it `127.0.0.1`.
 
 If you wish to use a different username or database name for the database, you
 should override the `DATABASE_URL` in `local.env` using the following format:
 
     DATABASE_URL=postgres://<username>@localhost/<database name>
 
+The `MANDRILL_KEY` value in `defaults.env` is for a test mail server, which
+won't actually send email to you. If you need to receive email during
+development then sign up for an account of your own at
+[Mandrill](http://mandrill.com/) and override `MANDRILL_KEY` in your
+`local.env`.
+
+
 Vagrant
 -------
 If you have Vagrant installed, you can run Gratipay by running `vagrant up` from the project directory. Please note that if you ever switch between running Gratipay on your own machine to Vagrant or vice versa, you will need to run `make clean`.

From 2ab41452f0f0a5fa7573c1334091f2bbae71cce7 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Tue, 9 Dec 2014 18:43:29 +0100
Subject: [PATCH 106/107] fix order of checks

---
 gratipay/models/participant.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gratipay/models/participant.py b/gratipay/models/participant.py
index 8024686d77..9c501aae2a 100644
--- a/gratipay/models/participant.py
+++ b/gratipay/models/participant.py
@@ -538,10 +538,10 @@ def verify_email(self, email, nonce):
         r = self.get_email(email)
         if r is None or not constant_time_compare(r.nonce, nonce):
             return emails.VERIFICATION_FAILED
-        if (utcnow() - r.verification_start) > EMAIL_HASH_TIMEOUT:
-            return emails.VERIFICATION_EXPIRED
         if r.verified:
             return emails.VERIFICATION_REDUNDANT
+        if (utcnow() - r.verification_start) > EMAIL_HASH_TIMEOUT:
+            return emails.VERIFICATION_EXPIRED
         try:
             self.db.run("""
                 UPDATE emails

From 835de34101e495189d005b7723002c37b0107ff7 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Tue, 9 Dec 2014 18:49:33 +0100
Subject: [PATCH 107/107] fix use of obsolete column name in `branch.py`

---
 branch.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/branch.py b/branch.py
index e5c57e46ef..0a6ddf5187 100644
--- a/branch.py
+++ b/branch.py
@@ -29,7 +29,7 @@ class EmailAddressWithConfirmation(Model):
 
 def add_email(self, email):
     nonce = str(uuid.uuid4())
-    ctime = utcnow()
+    verification_start = utcnow()
 
     scheme = gratipay.canonical_scheme
     host = gratipay.canonical_host
@@ -44,9 +44,9 @@ def add_email(self, email):
 
     db.run("""
         INSERT INTO emails
-                    (address, nonce, ctime, participant)
+                    (address, nonce, verification_start, participant)
              VALUES (%s, %s, %s, %s)
-    """, (email, nonce, ctime, self.username))
+    """, (email, nonce, verification_start, self.username))
 
 
 participants = db.all("""