discourse/lib/email_updater.rb

# frozen_string_literal: true

class EmailUpdater
  include HasErrors

  attr_reader :user
  attr_reader :change_req

  def self.human_attribute_name(name, options = {})
    User.human_attribute_name(name, options)
  end

  def initialize(guardian: nil, user: nil)
    @guardian = guardian
    @user = user
  end

  def change_to(email, add: false)
    @guardian.ensure_can_edit_email!(@user)

    email = Email.downcase(email.strip)
    EmailValidator.new(attributes: :email).validate_each(self, :email, email)
    return if errors.present?

    if existing_user = User.find_by_email(email)
      if SiteSetting.hide_email_address_taken
        Jobs.enqueue(:critical_user_email, type: "account_exists", user_id: existing_user.id)
      else
        error_message = +'change_email.error'
        error_message << '_staged' if existing_user.staged?
        errors.add(:base, I18n.t(error_message))
      end
    end

    if add
      secondary_emails_count = @user.secondary_emails.count
      if secondary_emails_count >= SiteSetting.max_allowed_secondary_emails
        errors.add(:base, I18n.t("change_email.max_secondary_emails_error"))
      end
    else
      old_email = @user.email
    end

    return if errors.present? || existing_user.present?

    if @guardian.is_staff? && @guardian.user != @user
      StaffActionLogger.new(@guardian.user).log_add_email(@user)
    else
      UserHistory.create!(action: UserHistory.actions[:add_email], acting_user_id: @user.id)
    end

    @change_req = EmailChangeRequest.find_or_initialize_by(user_id: @user.id, new_email: email)

    if @change_req.new_record?
      @change_req.requested_by = @guardian.user
      @change_req.old_email = old_email
      @change_req.new_email = email
    end

    if @change_req.change_state.blank? || @change_req.change_state == EmailChangeRequest.states[:complete]
      @change_req.change_state = if SiteSetting.require_change_email_confirmation || @user.staff?
        EmailChangeRequest.states[:authorizing_old]
      else
        EmailChangeRequest.states[:authorizing_new]
      end
    end

    if @change_req.change_state == EmailChangeRequest.states[:authorizing_old]
      @change_req.old_email_token = @user.email_tokens.create!(email: @user.email, scope: EmailToken.scopes[:email_update])
      send_email(add ? "confirm_old_email_add" : "confirm_old_email", @change_req.old_email_token)
    elsif @change_req.change_state == EmailChangeRequest.states[:authorizing_new]
      @change_req.new_email_token = @user.email_tokens.create!(email: email, scope: EmailToken.scopes[:email_update])
      send_email("confirm_new_email", @change_req.new_email_token)
    end

    @change_req.save!
    @change_req
  end

  def confirm(token)
    confirm_result = nil

    User.transaction do
      email_token = EmailToken.confirmable(token, scope: EmailToken.scopes[:email_update])
      if email_token.blank?
        errors.add(:base, I18n.t('change_email.already_done'))
        confirm_result = :error
        next
      end

      email_token.update!(confirmed: true)

      @user = email_token.user
      @change_req = @user.email_change_requests
        .where('old_email_token_id = :token_id OR new_email_token_id = :token_id', token_id: email_token.id)
        .first

      case @change_req.try(:change_state)
      when EmailChangeRequest.states[:authorizing_old]
        @change_req.update!(
          change_state: EmailChangeRequest.states[:authorizing_new],
          new_email_token: @user.email_tokens.create!(email: @change_req.new_email, scope: EmailToken.scopes[:email_update])
        )
        send_email("confirm_new_email", @change_req.new_email_token)
        confirm_result = :authorizing_new
      when EmailChangeRequest.states[:authorizing_new]
        @change_req.update!(change_state: EmailChangeRequest.states[:complete])
        if !@user.staff?
          # Send an email notification only to users who did not confirm old
          # email.
          send_email_notification(@change_req.old_email, @change_req.new_email)
        end
        update_user_email(@change_req.old_email, @change_req.new_email)
        confirm_result = :complete
      end
    end

    confirm_result || :error
  end

  def update_user_email(old_email, new_email)
    if old_email.present?
      @user.user_emails.find_by(email: old_email).update!(email: new_email)
    else
      @user.user_emails.create!(email: new_email)
    end
    @user.reload

    DiscourseEvent.trigger(:user_updated, @user)
    @user.set_automatic_groups
  end

  protected

  def send_email(type, email_token)
    Jobs.enqueue :critical_user_email,
                 to_address: email_token.email,
                 type: type,
                 user_id: @user.id,
                 email_token: email_token.token
  end

  def send_email_notification(old_email, new_email)
    Jobs.enqueue :critical_user_email,
                 to_address: @user.email,
                 type: old_email ? "notify_old_email" : "notify_old_email_add",
                 user_id: @user.id,
                 new_email: new_email
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`class EmailUpdater`
			`include HasErrors`

			`attr_reader :user`
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`attr_reader :change_req`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00
			`def self.human_attribute_name(name, options = {})`
			`User.human_attribute_name(name, options)`
			`end`

FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`def initialize(guardian: nil, user: nil)`
			`@guardian = guardian`
			`@user = user`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`end`

FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`def change_to(email, add: false)`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`@guardian.ensure_can_edit_email!(@user)`

FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`email = Email.downcase(email.strip)`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`EmailValidator.new(attributes: :email).validate_each(self, :email, email)`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`return if errors.present?`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00
improve error message when trying to change email address to one used by a staged user 2016-03-21 14:36:26 -04:00			`if existing_user = User.find_by_email(email)`
FEATURE: the hide_email_address_taken setting works with the change email address form in user preferences 2017-10-04 11:41:08 -04:00			`if SiteSetting.hide_email_address_taken`
DEV: Use strings for :user_email job type argument Job arguments go via JSON, and so symbols will appear as strings in the Job's `#execute` method. The latest version of Sidekiq has started warning about this to reduce developer confusion. 2022-02-04 12:34:38 -05:00			`Jobs.enqueue(:critical_user_email, type: "account_exists", user_id: existing_user.id)`
FEATURE: the hide_email_address_taken setting works with the change email address form in user preferences 2017-10-04 11:41:08 -04:00			`else`
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`error_message = +'change_email.error'`
FEATURE: the hide_email_address_taken setting works with the change email address form in user preferences 2017-10-04 11:41:08 -04:00			`error_message << '_staged' if existing_user.staged?`
			`errors.add(:base, I18n.t(error_message))`
			`end`
improve error message when trying to change email address to one used by a staged user 2016-03-21 14:36:26 -04:00			`end`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00
FEATURE: add maximum limit for secondary emails (#12599) 2021-04-05 11:01:42 -04:00			`if add`
			`secondary_emails_count = @user.secondary_emails.count`
			`if secondary_emails_count >= SiteSetting.max_allowed_secondary_emails`
			`errors.add(:base, I18n.t("change_email.max_secondary_emails_error"))`
			`end`
			`else`
			`old_email = @user.email`
			`end`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00
FEATURE: add maximum limit for secondary emails (#12599) 2021-04-05 11:01:42 -04:00			`return if errors.present? \|\| existing_user.present?`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`if @guardian.is_staff? && @guardian.user != @user`
			`StaffActionLogger.new(@guardian.user).log_add_email(@user)`
			`else`
FIX: Fill acting_user field instead of target_user in history 2020-06-16 06:30:58 -04:00			`UserHistory.create!(action: UserHistory.actions[:add_email], acting_user_id: @user.id)`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`end`
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email. 2020-02-19 18:52:21 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`@change_req = EmailChangeRequest.find_or_initialize_by(user_id: @user.id, new_email: email)`
FIX: Do not add same email multiple times (#12322) The user and an admin could create multiple email change requests for the same user. If any of the requests was validated and it became primary, the other request could not be deleted anymore. 2021-03-10 07:49:26 -05:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`if @change_req.new_record?`
			`@change_req.requested_by = @guardian.user`
			`@change_req.old_email = old_email`
			`@change_req.new_email = email`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`end`

DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`if @change_req.change_state.blank? \|\| @change_req.change_state == EmailChangeRequest.states[:complete]`
FEATURE: Add setting to always confirm old email (#18417) By default, only staff members have to confirm their old email when changing it. This commit adds a site setting that when enabled will always ask the user to confirm old email. 2022-09-29 17:49:17 -04:00			`@change_req.change_state = if SiteSetting.require_change_email_confirmation \|\| @user.staff?`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`EmailChangeRequest.states[:authorizing_old]`
			`else`
			`EmailChangeRequest.states[:authorizing_new]`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`end`
			`end`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`if @change_req.change_state == EmailChangeRequest.states[:authorizing_old]`
			`@change_req.old_email_token = @user.email_tokens.create!(email: @user.email, scope: EmailToken.scopes[:email_update])`
DEV: Update :critical_user_email calls to use strings (#15827) Symbols are converted to strings anyway, so there is no change in behaviour. The latest version of sidekiq introduced a warning for this. 2022-02-04 18:43:53 -05:00			`send_email(add ? "confirm_old_email_add" : "confirm_old_email", @change_req.old_email_token)`
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`elsif @change_req.change_state == EmailChangeRequest.states[:authorizing_new]`
			`@change_req.new_email_token = @user.email_tokens.create!(email: email, scope: EmailToken.scopes[:email_update])`
DEV: Update :critical_user_email calls to use strings (#15827) Symbols are converted to strings anyway, so there is no change in behaviour. The latest version of sidekiq introduced a warning for this. 2022-02-04 18:43:53 -05:00			`send_email("confirm_new_email", @change_req.new_email_token)`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`end`

DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`@change_req.save!`
			`@change_req`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`end`

			`def confirm(token)`
			`confirm_result = nil`

			`User.transaction do`
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`email_token = EmailToken.confirmable(token, scope: EmailToken.scopes[:email_update])`
			`if email_token.blank?`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`errors.add(:base, I18n.t('change_email.already_done'))`
			`confirm_result = :error`
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`next`
			`end`

			`email_token.update!(confirmed: true)`

			`@user = email_token.user`
			`@change_req = @user.email_change_requests`
			`.where('old_email_token_id = :token_id OR new_email_token_id = :token_id', token_id: email_token.id)`
			`.first`

			`case @change_req.try(:change_state)`
			`when EmailChangeRequest.states[:authorizing_old]`
			`@change_req.update!(`
			`change_state: EmailChangeRequest.states[:authorizing_new],`
			`new_email_token: @user.email_tokens.create!(email: @change_req.new_email, scope: EmailToken.scopes[:email_update])`
			`)`
DEV: Update :critical_user_email calls to use strings (#15827) Symbols are converted to strings anyway, so there is no change in behaviour. The latest version of sidekiq introduced a warning for this. 2022-02-04 18:43:53 -05:00			`send_email("confirm_new_email", @change_req.new_email_token)`
DEV: Hash tokens stored from email_tokens (#14493) This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens 2021-11-25 02:34:39 -05:00			`confirm_result = :authorizing_new`
			`when EmailChangeRequest.states[:authorizing_new]`
			`@change_req.update!(change_state: EmailChangeRequest.states[:complete])`
			`if !@user.staff?`
			`# Send an email notification only to users who did not confirm old`
			`# email.`
			`send_email_notification(@change_req.old_email, @change_req.new_email)`
			`end`
			`update_user_email(@change_req.old_email, @change_req.new_email)`
			`confirm_result = :complete`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`end`
			`end`

			`confirm_result \|\| :error`
			`end`

FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`def update_user_email(old_email, new_email)`
			`if old_email.present?`
			`@user.user_emails.find_by(email: old_email).update!(email: new_email)`
			`else`
			`@user.user_emails.create!(email: new_email)`
			`end`
FIX: Admin change email for user process improvements and fixes (#10755) See https://meta.discourse.org/t/changing-a-users-email/164512 for context. When admin changes an email for a user, we were incorrectly sending the password reset email to the user's old address. Also the new email does not come into effect until the reset password process is done, so this PR adds some notes to the admin to make this clearer. 2020-09-28 19:45:45 -04:00			`@user.reload`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00
FIX: : trigger `user_updated` event only if email changed after user creation. Follow-up to 1460d7957c5d9b9300034e5e36675cf44cc3bc0f 2020-07-16 08:51:30 -04:00			`DiscourseEvent.trigger(:user_updated, @user)`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`@user.set_automatic_groups`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`end`

FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`protected`

SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`def send_email(type, email_token)`
FEATURE: move more urgent emails notifications to critical queue Move signup, admin login and password change email notifications to critical queue 2016-04-07 00:38:43 -04:00			`Jobs.enqueue :critical_user_email,`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`to_address: email_token.email,`
			`type: type,`
			`user_id: @user.id,`
			`email_token: email_token.token`
			`end`

FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`def send_email_notification(old_email, new_email)`
			`Jobs.enqueue :critical_user_email,`
			`to_address: @user.email,`
DEV: Update :critical_user_email calls to use strings (#15827) Symbols are converted to strings anyway, so there is no change in behaviour. The latest version of sidekiq introduced a warning for this. 2022-02-04 18:43:53 -05:00			`type: old_email ? "notify_old_email" : "notify_old_email_add",`
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 12:11:49 -04:00			`user_id: @user.id,`
			`new_email: new_email`
FIX: When admin changes another user's email auto-confirm the change (#9001) When admin changes a user's email from the preferences page of that user: * The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address. * The user will still be sent an email to their old email to inform them that it was changed. * Admin and staff users still need to follow the same old + new confirm process, as do users changing their own email. 2020-02-19 18:52:21 -05:00			`end`
SECURITY: Support for confirm old as well as new email accounts 2016-03-07 14:40:11 -05:00			`end`