Don't call handleValidLogin() when impersonating a user

Resolves #4130

CHANGELOG-v3.md

@@ -10,6 +10,7 @@
 - Fixed PHP type errors that could occur when calling some deprecated `craft.request` methods in templates. ([#4124](https://github.com/craftcms/cms/issues/4124))
 - Fixed performance issues that could occur where uploading GIFs in the Control Panel.
 - Fixed a bug where it wasn’t possible to create a new global set with the same name or handle as a soft-deleted one. ([#4091](https://github.com/craftcms/cms/issues/4091))
+- Fixed a bug where pending users’ verification codes were getting deleted if they were impersonated by an admin. ([#4130](https://github.com/craftcms/cms/issues/4130))
 
 ## 3.1.22 - 2019-04-10
 

src/web/User.php

@@ -404,7 +404,8 @@ protected function afterLogin($identity, $cookieBased, $duration)
         $session = Craft::$app->getSession();
 
         // Save the username cookie if they're not being impersonated
-        if ($session->get(UserElement::IMPERSONATE_KEY) === null) {
+        $impersonating = $session->get(UserElement::IMPERSONATE_KEY) !== null;
+        if (!$impersonating) {
             $this->sendUsernameCookie($identity);
         }
 
@@ -415,7 +416,9 @@ protected function afterLogin($identity, $cookieBased, $duration)
         $session->remove($this->elevatedSessionTimeoutParam);
 
         // Update the user record
-        Craft::$app->getUsers()->handleValidLogin($identity);
+        if (!$impersonating) {
+            Craft::$app->getUsers()->handleValidLogin($identity);
+        }
 
         parent::afterLogin($identity, $cookieBased, $duration);
     }