users: use sudo mode when changing email addresses.

When a user tries to change their email, redirect them to the confirm password page (like Github's sudo mode) instead of having them re-enter their password on the change email page. This is the same thing we do when a user updates their API keys. This way we have can use the same confirm password authentication flow for everything that needs a password.
2021-05-18 22:50:09 -05:00
parent 12eacbe76f
commit 24ead500f0
5 changed files with 47 additions and 36 deletions
--- a/app/controllers/emails_controller.rb
+++ b/app/controllers/emails_controller.rb
@@ -1,4 +1,5 @@
 class EmailsController < ApplicationController
+  before_action :requires_reauthentication, only: [:edit, :update]
  respond_to :html, :xml, :json

  def index
@@ -24,17 +25,10 @@ class EmailsController < ApplicationController

  def update
    @user = authorize User.find(params[:user_id]), policy_class: EmailAddressPolicy
-
-    if @user.authenticate_password(params[:user][:password])
-      UserEvent.build_from_request(@user, :email_change, request)
-      @user.update(email_address_attributes: { address: params[:user][:email] })
-    else
-      @user.errors.add(:base, "Password was incorrect")
-    end
+    @user.change_email(params[:user][:email], request)

    if @user.errors.none?
      flash[:notice] = "Email updated. Check your email to confirm your new address"
-      UserMailer.email_change_confirmation(@user).deliver_later
      respond_with(@user, location: settings_url)
    else
      flash[:notice] = @user.errors.full_messages.join("; ")
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -361,6 +361,17 @@ class User < ApplicationRecord
    def can_receive_email?(require_verification: true)
      email_address.present? && email_address.is_deliverable? && (email_address.is_verified? || !require_verification)
    end
+
+    def change_email(new_email, request)
+      transaction do
+        update(email_address_attributes: { address: new_email })
+
+        if errors.none?
+          UserEvent.create_from_request!(self, :email_change, request)
+          UserMailer.email_change_confirmation(self).deliver_later
+        end
+      end
+    end
  end

  concerning :BlacklistMethods do
--- a/app/views/emails/edit.html.erb
+++ b/app/views/emails/edit.html.erb
@@ -1,17 +1,10 @@
 <div id="c-emails">
  <div id="a-edit" class="fixed-width-container">
+    <% page_title "Change Email" %>
+    <h1>Change Email</h1>
+
    <% if @user.email_address.present? %>
-      <% page_title "Change Email" %>
-      <h1>Change Email</h1>
-
      <p>Your current email address is <strong><%= @user.email_address.address %></strong>.
-      You must re-enter your password in order to update your email address.</p>
-    <% else %>
-      <% page_title "Add Email" %>
-      <h1>Add Email</h1>
-
-      <p>Add a new email address below. You must re-enter your password in
-      order to update your email address.</p>
    <% end %>

    <% if @user.is_restricted? %>
@@ -23,8 +16,7 @@
    <% end %>

    <%= edit_form_for(@user, url: user_email_path(@user)) do |f| %>
-      <%= f.input :email, as: :email, label: "New Email", input_html: { value: "" } %>
-      <%= f.input :password %>
+      <%= f.input :email, as: :email, input_html: { value: @user&.email_address&.address } %>
      <%= f.submit "Save" %>
    <% end %>
  </div>