From bc598d1abb8a663283c78e4084c1e8cec19218ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Loipf=C3=BChrer?= <michael.loipfuehrer@stusta.de>
Date: Fri, 27 Feb 2026 19:19:36 +0100
Subject: [PATCH] fix(core): allow registrations and password recoveries to
 overwrite existing ones

fixes #288
---
 abrechnung/application/users.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/abrechnung/application/users.py b/abrechnung/application/users.py
index f81f628d..6ebd9d56 100644
--- a/abrechnung/application/users.py
+++ b/abrechnung/application/users.py
@@ -240,6 +240,7 @@ async def register_user(
             raise InvalidArgument("Registering new user failed")
 
         if requires_email_confirmation:
+            await conn.execute("delete from pending_registration where user_id = $1", user_id)
             await conn.execute("insert into pending_registration (user_id) values ($1)", user_id)
 
         return user_id
@@ -336,6 +337,7 @@ async def request_email_change(self, *, conn: Connection, user: User, password:
         if not valid_pw:
             raise InvalidPassword
 
+        await conn.execute("delete from pending_email_change where user_id = $1", user.id)
         await conn.execute(
             "insert into pending_email_change (user_id, new_email) values ($1, $2)",
             user.id,
@@ -366,6 +368,7 @@ async def request_password_recovery(self, *, conn: Connection, email: str):
         if not user_id:
             raise InvalidArgument("permission denied")
 
+        await conn.execute("delete from pending_password_recovery where user_id = $1", user_id)
         await conn.execute(
             "insert into pending_password_recovery (user_id) values ($1)",
             user_id,