From 4812417192027a52a9acf0938e2c53ba7297d9f9 Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Tue, 28 Mar 2017 14:50:36 +0530
Subject: [PATCH] FIX: do not add user to group based on email domain unless
 email is confirmed

---
 app/models/user.rb       |  3 +--
 spec/models/user_spec.rb | 11 +++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 95ad684c706..5a0679508d0 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -939,8 +939,7 @@ class User < ActiveRecord::Base
 
   def automatic_group_membership
     user = User.find(self.id)
-
-    return unless user && user.active && !user.staged
+    return unless user && user.active && user.email_confirmed? && !user.staged
 
     Group.where(automatic: false)
          .where("LENGTH(COALESCE(automatic_membership_email_domains, '')) > 0")
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index dfee88c7fbb..9304b1279a4 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1213,6 +1213,13 @@ describe User do
       expect(group.users.include?(inactive_user)).to eq(false)
     end
 
+    it "doesn't automatically add users with unconfirmed email" do
+      unconfirmed_email_user = Fabricate(:user, active: true, email: "wat@wat.com")
+      unconfirmed_email_user.email_tokens.create(email: unconfirmed_email_user.email)
+      group.reload
+      expect(group.users.include?(unconfirmed_email_user)).to eq(false)
+    end
+
     it "doesn't automatically add staged users" do
       staged_user = Fabricate(:user, active: true, staged: true, email: "wat@wat.com")
       group.reload
@@ -1221,6 +1228,8 @@ describe User do
 
     it "is automatically added to a group when the email matches" do
       user = Fabricate(:user, active: true, email: "foo@bar.com")
+      email_token = user.email_tokens.create(email: user.email).token
+      EmailToken.confirm(email_token)
       group.reload
       expect(group.users.include?(user)).to eq(true)
 
@@ -1241,6 +1250,8 @@ describe User do
 
       user.password_required!
       user.save!
+      email_token = user.email_tokens.create(email: user.email).token
+      EmailToken.confirm(email_token)
       user.reload
 
       expect(user.title).to eq("bars and wats")