discourse/lib/admin_confirmation.rb

# frozen_string_literal: true

class AdminConfirmation
  attr_accessor :token
  attr_reader :performed_by
  attr_reader :target_user

  def initialize(target_user, performed_by)
    @target_user = target_user
    @performed_by = performed_by
  end

  def create_confirmation
    guardian = Guardian.new(@performed_by)
    guardian.ensure_can_grant_admin!(@target_user)

    @token = SecureRandom.hex
    $redis.setex("admin-confirmation:#{@target_user.id}", 3.hours.to_i, @token)

    payload = {
      target_user_id: @target_user.id,
      performed_by: @performed_by.id
    }
    $redis.setex("admin-confirmation-token:#{@token}", 3.hours.to_i, payload.to_json)

    Jobs.enqueue(
      :admin_confirmation_email,
      to_address: @performed_by.email,
      target_email: @target_user.email,
      target_username: @target_user.username,
      token: @token
    )
  end

  def email_confirmed!
    guardian = Guardian.new(@performed_by)
    guardian.ensure_can_grant_admin!(@target_user)

    @target_user.grant_admin!
    StaffActionLogger.new(@performed_by).log_grant_admin(@target_user)
    $redis.del "admin-confirmation:#{@target_user.id}"
    $redis.del "admin-confirmation-token:#{@token}"
  end

  def self.exists_for?(user_id)
    $redis.exists "admin-confirmation:#{user_id}"
  end

  def self.find_by_code(token)
    json = $redis.get("admin-confirmation-token:#{token}")
    return nil unless json

    parsed = JSON.parse(json)
    target_user = User.find(parsed['target_user_id'].to_i)
    performed_by = User.find(parsed['performed_by'].to_i)

    ac = AdminConfirmation.new(target_user, performed_by)
    ac.token = token
    ac
  end

end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

SECURITY: Confirm new administrator accounts via email 2017-04-04 13:59:22 -04:00			`class AdminConfirmation`
			`attr_accessor :token`
			`attr_reader :performed_by`
			`attr_reader :target_user`

			`def initialize(target_user, performed_by)`
			`@target_user = target_user`
			`@performed_by = performed_by`
			`end`

			`def create_confirmation`
			`guardian = Guardian.new(@performed_by)`
			`guardian.ensure_can_grant_admin!(@target_user)`

			`@token = SecureRandom.hex`
			`$redis.setex("admin-confirmation:#{@target_user.id}", 3.hours.to_i, @token)`

			`payload = {`
			`target_user_id: @target_user.id,`
			`performed_by: @performed_by.id`
			`}`
			`$redis.setex("admin-confirmation-token:#{@token}", 3.hours.to_i, payload.to_json)`

			`Jobs.enqueue(`
			`:admin_confirmation_email,`
			`to_address: @performed_by.email,`
UX: show user email address on "grant admin access" email and UI 2019-11-04 04:17:00 -05:00			`target_email: @target_user.email,`
SECURITY: Confirm new administrator accounts via email 2017-04-04 13:59:22 -04:00			`target_username: @target_user.username,`
			`token: @token`
			`)`
			`end`

			`def email_confirmed!`
			`guardian = Guardian.new(@performed_by)`
			`guardian.ensure_can_grant_admin!(@target_user)`

			`@target_user.grant_admin!`
			`StaffActionLogger.new(@performed_by).log_grant_admin(@target_user)`
			`$redis.del "admin-confirmation:#{@target_user.id}"`
			`$redis.del "admin-confirmation-token:#{@token}"`
			`end`

			`def self.exists_for?(user_id)`
			`$redis.exists "admin-confirmation:#{user_id}"`
			`end`

			`def self.find_by_code(token)`
			`json = $redis.get("admin-confirmation-token:#{token}")`
			`return nil unless json`

			`parsed = JSON.parse(json)`
			`target_user = User.find(parsed['target_user_id'].to_i)`
			`performed_by = User.find(parsed['performed_by'].to_i)`

			`ac = AdminConfirmation.new(target_user, performed_by)`
			`ac.token = token`
			`ac`
			`end`

			`end`