From 58d0faff7f2d8d987136fea33e1086a0ba8438db Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 21 Dec 2021 15:59:00 +0100
Subject: [PATCH] ensure we clear the token on delete()

---
 core/admin/mailu/utils.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/admin/mailu/utils.py b/core/admin/mailu/utils.py
index 5d51a730..73c2c058 100644
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -231,8 +231,6 @@ class MailuSession(CallbackDict, SessionMixin):
 
     def destroy(self):
         """ destroy session for security reasons. """
-        if 'webmail_token' in self:
-            self.app.session_store.delete(self['webmail_token'])
         self.delete()
 
         self._uid = None
@@ -246,13 +244,15 @@ class MailuSession(CallbackDict, SessionMixin):
 
     def regenerate(self):
         """ generate new id for session to avoid `session fixation`. """
-        self.delete()
+        self.delete(clear_token=False)
         self._sid = None
         self.modified = True
 
-    def delete(self):
+    def delete(self, clear_token=True):
         """ Delete stored session. """
         if self.saved:
+            if clear_token and 'webmail_token' in self:
+                self.app.session_store.delete(self['webmail_token'])
             self.app.session_store.delete(self._key)
             self._key = None