FIX: send email to normalized email owner when hiding emails (#23524)

Previous to this change when both `normalize_emails` and `hide_email_address_taken` is enabled the expected `account_exists` email was only sent on exact email matches. This expands it so it also sends an email to the canonical email owner.
2023-09-12 11:06:35 +10:00 · 2023-09-12 11:06:35 +10:00 · b3bef96744
parent 80dcaf1e98
commit b3bef96744
3 changed files with 56 additions and 3 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -767,7 +767,12 @@ class UsersController < ApplicationController
          user.errors[:primary_email]&.include?(I18n.t("errors.messages.taken"))
      session["user_created_message"] = activation.success_message

-      if existing_user = User.find_by_email(user.primary_email&.email)
+      existing_user = User.find_by_email(user.primary_email&.email)
+      if !existing_user && SiteSetting.normalize_emails
+        existing_user =
+          UserEmail.find_by_normalized_email(user.primary_email&.normalized_email)&.user
+      end
+      if existing_user
        Jobs.enqueue(:critical_user_email, type: "account_exists", user_id: existing_user.id)
      end

--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -834,6 +834,46 @@ RSpec.describe UsersController do
        end
      end

+      context "when normalize_emails is enabled" do
+        let (:email) {
+          "jane+100@gmail.com"
+        }
+        let (:dupe_email) {
+          "jane+191@gmail.com"
+        }
+        let! (:user) {
+          Fabricate(:user, email: email, password: "strongpassword")
+        }
+
+        before do
+          SiteSetting.hide_email_address_taken = true
+          SiteSetting.normalize_emails = true
+        end
+
+        it "sends an email to normalized email owner when hide_email_address_taken is enabled" do
+          expect do
+            expect_enqueued_with(
+              job: Jobs::CriticalUserEmail,
+              args: {
+                type: "account_exists",
+                user_id: user.id,
+              },
+            ) do
+              post "/u.json",
+                   params: {
+                     name: "Jane Doe",
+                     username: "janedoe9999",
+                     password: "strongpassword",
+                     email: dupe_email,
+                   }
+            end
+          end.to_not change { User.count }
+
+          expect(response.status).to eq(200)
+          expect(session["user_created_message"]).to be_present
+        end
+      end
+
      context "when users already exists with given email" do
        let!(:existing) { Fabricate(:user, email: post_user_params[:email]) }

@ -850,7 +890,15 @@ RSpec.describe UsersController do

        it "returns success if hide_email_address_taken is enabled" do
          SiteSetting.hide_email_address_taken = true
-          expect { post_user }.to_not change { User.count }
+          expect {
+            expect_enqueued_with(
+              job: Jobs::CriticalUserEmail,
+              args: {
+                type: "account_exists",
+                user_id: existing.id,
+              },
+            ) { post_user }
+          }.to_not change { User.count }

          expect(response.status).to eq(200)
          expect(session["user_created_message"]).to be_present
--- a/spec/support/sidekiq_helpers.rb
+++ b/spec/support/sidekiq_helpers.rb
@ -32,7 +32,7 @@ module SidekiqHelpers
      eq(expectation),
      (
        if expectation
-          "No enqueued job with #{expected} found"
+          "No enqueued job with #{expected}\nFound:\n #{jobs.inspect}"
        else
          "Enqueued job with #{expected} found"
        end