users: let mods see email addresses on user profiles.

* Let Mods and Admins see the email addresses of users below their level.
* Let users see their own email address on their profile.
* Let users verify or edit their email address from their profile.

This is to make catching sockpuppets easier, and to make it easier for
users to fix their email.

app/javascript/src/styles/base/040_colors.css

@@ -201,6 +201,9 @@
   --user-member-color: var(--link-color);
   --user-banned-color: black;
 
+  --user-verified-email-color: #0A0;
+  --user-unverified-email-color: #F80;
+
   --news-updates-background: #EEE;
   --news-updates-border: 2px solid #666;
 
@@ -291,6 +294,9 @@ body[data-current-user-theme="dark"] {
   --user-moderator-color: var(--green-1);
   --user-admin-color: var(--red-1);
 
+  --user-verified-email-color: var(--green-1);
+  --user-unverified-email-color: var(--yellow-1);
+
   /* misc specific colors */
   --autocomplete-selected-background-color: var(--grey-3);
   --autocomplete-border: 1px solid var(--grey-4);

app/javascript/src/styles/specific/users.scss

@@ -30,6 +30,14 @@ div#c-users {
       p {
         margin-bottom: 0.5em;
       }
+
+      .user-verified-email-icon {
+        color: var(--user-verified-email-color);
+      }
+
+      .user-unverified-email-icon {
+        color: var(--user-unverified-email-color);
+      }
     }
   }
 

app/policies/email_address_policy.rb

@@ -1,6 +1,6 @@
 class EmailAddressPolicy < ApplicationPolicy
   def show?
-    record.user_id == user.id
+    record.user_id == user.id || (user.is_moderator? && record.user.level < user.level)
   end
 
   def update?

app/policies/nil_class_policy.rb

@@ -0,0 +1,21 @@
+class NilClassPolicy < ApplicationPolicy
+  def index?
+    false
+  end
+
+  def show?
+    false
+  end
+
+  def create?
+    false
+  end
+
+  def update?
+    false
+  end
+
+  def destroy?
+    false
+  end
+end

app/views/emails/verify.html.erb

@@ -6,12 +6,12 @@
 
     <% if @user.is_restricted? %>
       <p>Your account is restricted because you signed up from a VPN or proxy.
-      You can still use the site, but you won't be able to leave comments, edit
-      tags, or upload posts until you verify your account.</p>
+      You can still use the site, but you must verify your email address to be
+      able to leave comments, edit tags, or upload posts.</p>
     <% end %>
 
-    <p>Click below to send an email to <strong><%= @email_address.address %></strong>
-    to verify your account.</p>
+    <p>Your email address is unverified. Click below to send an email to
+    <strong><%= @email_address.address %></strong> to verify your email address.</p>
 
     <%= edit_form_for(@user, method: :post, url: send_confirmation_user_email_path(@user)) do |f| %>
       <%= f.submit "Send confirmation email" %>

app/views/users/_statistics.html.erb

@@ -10,6 +10,7 @@
         <th>Join Date</th>
         <td><%= presenter.join_date %></td>
       </tr>
+
       <% if policy(IpAddress).show? %>
         <tr>
           <th>Last IP</th>
@@ -27,6 +28,33 @@
         </tr>
       <% end %>
 
+      <% if policy(user.email_address).show? %>
+        <tr class="user-email-address">
+          <th>Email Address</th>
+          <td>
+            <% if user.email_address.present? %>
+              <%= user.email_address.address %>
+
+              <% if user == CurrentUser.user %>
+                (<%= link_to "edit", edit_user_email_path(user) %>)
+              <% end %>
+
+              <% if user.email_address.is_verified? %>
+                <i class="fas fa-check-circle user-verified-email-icon" title="Verified email"></i>
+              <% elsif user == CurrentUser.user %>
+                <%= link_to verify_user_email_path(user) do %>
+                  <i class="fas fa-exclamation-triangle user-unverified-email-icon" title="Unverified email. Click here to verify your email."></i>
+                <% end %>
+              <% else %>
+                <i class="fas fa-exclamation-triangle user-email-unverified" title="Unverified email."></i>
+              <% end %>
+            <% else %>
+              <em>none</em>
+            <% end %>
+          </td>
+        </tr>
+      <% end %>
+
       <tr>
         <th>Inviter</th>
         <% if user.inviter %>

test/functional/users_controller_test.rb

@@ -114,7 +114,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     context "show action" do
       setup do
         # flesh out profile to get more test coverage of user presenter.
-        @user = create(:banned_user, can_approve_posts: true, created_at: 2.weeks.ago)
+        @user = create(:user, can_approve_posts: true, created_at: 2.weeks.ago)
         as(@user) do
           create(:saved_search, user: @user)
           create(:post, uploader: @user, tag_string: "fav:#{@user.name}")
@@ -152,6 +152,33 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
         assert_equal(false, xml["user"]["enable_safe_mode"])
       end
 
+      context "for a user with an email address" do
+        setup do
+          create(:email_address, user: @user)
+        end
+
+        should "show the email address to the user themselves" do
+          get_auth user_path(@user), @user
+
+          assert_response :success
+          assert_select ".user-email-address", count: 1
+        end
+
+        should "show the email address to mods" do
+          get_auth user_path(@user), create(:moderator_user)
+
+          assert_response :success
+          assert_select ".user-email-address", count: 1
+        end
+
+        should "not show the email address to other users" do
+          get_auth user_path(@user), create(:user)
+
+          assert_response :success
+          assert_select ".user-email-address", count: 0
+        end
+      end
+
       context "for a tooltip" do
         setup do
           @banned = create(:banned_user)