emails: send verification mail when user changes address.

2020-03-14 18:32:00 -05:00
parent 167fe51a8a
commit d860fab7f5
7 changed files with 61 additions and 2 deletions
--- a/app/controllers/emails_controller.rb
+++ b/app/controllers/emails_controller.rb
@@ -21,6 +21,7 @@ class EmailsController < ApplicationController

    if @user.errors.none?
      flash[:notice] = "Email updated"
+      UserMailer.email_change_confirmation(@user).deliver_later
      respond_with(@user, location: settings_url)
    else
      flash[:notice] = @user.errors.full_messages.join("; ")
@@ -28,6 +29,15 @@ class EmailsController < ApplicationController
    end
  end

+  def verify
+    email_id = Danbooru::MessageVerifier.new(:email_verification_key).verify(params[:email_verification_key])
+    @email_address = EmailAddress.find(email_id)
+    @email_address.update!(is_verified: true)
+
+    flash[:notice] = "Email address verified"
+    redirect_to @email_address.user
+  end
+
  private

  def check_privilege(user)
--- a/app/mailers/user_mailer.rb
+++ b/app/mailers/user_mailer.rb
@@ -11,4 +11,9 @@ class UserMailer < ApplicationMailer
    @user = user
    mail to: @user.email_with_name, subject: "#{Danbooru.config.app_name} password reset request"
  end
+
+  def email_change_confirmation(user)
+    @user = user
+    mail to: @user.email_with_name, subject: "Confirm your email address"
+  end
 end
--- a/app/views/user_mailer/email_change_confirmation.html.erb
+++ b/app/views/user_mailer/email_change_confirmation.html.erb
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <body>
+    <h2>Hi <%= @user.name %>,</h2>
+
+    <p>
+      You recently changed your email address on <%= Danbooru.config.app_name %>.
+      Click the link below to verify your new email address.
+    </p>
+
+    <p>
+      <%= link_to "Verify email address", verify_user_email_url(@user, email_verification_key: Danbooru::MessageVerifier.new(:email_verification_key).generate(@user.email_address.id)) %>
+    </p>
+
+    <p>
+      If you did not recently change your email address on <%= Danbooru.config.app_name %>,
+      you may delete and ignore this email.
+    </p>
+  </body>
+</html>
--- a/app/views/users/edit.html.erb
+++ b/app/views/users/edit.html.erb
@@ -27,6 +27,9 @@
          <p>
            <% if @user.email_address.present? %>
              <%= @user.email_address.address %>
+              <% if !@user.email_address.is_verified %>
+                <em>(unverified)</em>
+              <% end %>
            <% else %>
              <em>blank</em>
            <% end %>
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -245,7 +245,9 @@ Rails.application.routes.draw do
  end
  resources :users do
    resources :favorite_groups, controller: "favorite_groups", only: [:index], as: "favorite_groups"
-    resource :email, only: [:edit, :update]
+    resource :email, only: [:edit, :update] do
+      get :verify
+    end
    resource :password, only: [:edit, :update]
    resource :api_key, :only => [:show, :view, :update, :destroy], :controller => "maintenance/user/api_keys" do
      post :view
--- a/test/functional/emails_controller_test.rb
+++ b/test/functional/emails_controller_test.rb
@@ -3,7 +3,7 @@ require "test_helper"
 class EmailsControllerTest < ActionDispatch::IntegrationTest
  context "in all cases" do
    setup do
-      @user = create(:user, email_address: build(:email_address, { address: "bob@ogres.net" }))
+      @user = create(:user, email_address: build(:email_address, { address: "bob@ogres.net", is_verified: false }))
    end

    context "#edit" do
@@ -20,6 +20,7 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest

          assert_redirected_to(settings_path)
          assert_equal("abc@ogres.net", @user.reload.email_address.address)
+          assert_enqueued_email_with UserMailer, :email_change_confirmation, args: [@user]
        end
      end

@@ -29,6 +30,19 @@ class EmailsControllerTest < ActionDispatch::IntegrationTest

          assert_response :success
          assert_equal("bob@ogres.net", @user.reload.email_address.address)
+          assert_no_emails
+        end
+      end
+    end
+
+    context "#verify" do
+      context "with a correct verification key" do
+        should "mark the email address as verified" do
+          assert_equal(false, @user.reload.email_address.is_verified)
+          get_auth verify_user_email_path(@user), @user, params: { email_verification_key: Danbooru::MessageVerifier.new(:email_verification_key).generate(@user.email_address.id) }
+
+          assert_redirected_to @user
+          assert_equal(true, @user.reload.email_address.is_verified)
        end
      end
    end
--- a/test/mailers/previews/user_mailer_preview.rb
+++ b/test/mailers/previews/user_mailer_preview.rb
@@ -8,4 +8,9 @@ class UserMailerPreview < ActionMailer::Preview
    user = User.find(params[:id])
    UserMailer.password_reset(user)
  end
+
+  def email_change_confirmation
+    user = User.find(params[:id])
+    UserMailer.email_change_confirmation(user)
+  end
 end