jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: use sudo mode when changing email addresses.

Browse Source 
When a user tries to change their email, redirect them to the confirm
password page (like Github's sudo mode) instead of having them re-enter
their password on the change email page. This is the same thing we do
when a user updates their API keys. This way we have can use the same
confirm password authentication flow for everything that needs a
password.
This commit is contained in:
evazion
2021-05-18 22:50:09 -05:00
parent 12eacbe76f
commit 24ead500f0
5 changed files with 47 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/emails_controller.rb
View File

@@ -1,4 +1,5 @@
class EmailsController < ApplicationController
before_action :requires_reauthentication, only: [:edit, :update]
respond_to :html, :xml, :json
def index
@@ -24,17 +25,10 @@ class EmailsController < ApplicationController
def update
@user = authorize User.find(params[:user_id]), policy_class: EmailAddressPolicy
if @user.authenticate_password(params[:user][:password])
UserEvent.build_from_request(@user, :email_change, request)
@user.update(email_address_attributes: { address: params[:user][:email] })
else
@user.errors.add(:base, "Password was incorrect")
end
@user.change_email(params[:user][:email], request)
if @user.errors.none?
flash[:notice] = "Email updated. Check your email to confirm your new address"
UserMailer.email_change_confirmation(@user).deliver_later
respond_with(@user, location: settings_url)
else
flash[:notice] = @user.errors.full_messages.join("; ")