discourse/app/controllers/users_email_controller.rb

67 lines
1.8 KiB
Ruby

# frozen_string_literal: true
class UsersEmailController < ApplicationController
requires_login only: [:index, :update]
skip_before_action :check_xhr, only: [:confirm]
skip_before_action :redirect_to_login_if_required, only: [:confirm]
def index
end
def update
params.require(:email)
user = fetch_user_from_params
RateLimiter.new(user, "change-email-hr-#{request.remote_ip}", 6, 1.hour).performed!
RateLimiter.new(user, "change-email-min-#{request.remote_ip}", 3, 1.minute).performed!
updater = EmailUpdater.new(guardian, user)
updater.change_to(params[:email])
if updater.errors.present?
return render_json_error(updater.errors.full_messages)
end
render body: nil
rescue RateLimiter::LimitExceeded
render_json_error(I18n.t("rate_limiter.slow_down"))
end
def confirm
expires_now
token = EmailToken.confirmable(params[:token])
user = token&.user
change_request =
if user
user.email_change_requests.where(new_email_token_id: token.id).first
end
if change_request&.change_state == EmailChangeRequest.states[:authorizing_new] &&
user.totp_enabled? && !user.authenticate_second_factor(params[:second_factor_token], params[:second_factor_method].to_i)
@update_result = :invalid_second_factor
@backup_codes_enabled = true if user.backup_codes_enabled?
if params[:second_factor_token].present?
RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
@show_invalid_second_factor_error = true
end
else
updater = EmailUpdater.new
@update_result = updater.confirm(params[:token])
if @update_result == :complete
updater.user.user_stat.reset_bounce_score!
log_on_user(updater.user)
end
end
render layout: 'no_ember'
end
end