SECURITY: Confirm new administrator accounts via email

spec/components/admin_confirmation_spec.rb

@@ -0,0 +1,54 @@
+require 'admin_confirmation'
+require 'rails_helper'
+
+describe AdminConfirmation do
+
+  let(:admin) { Fabricate(:admin) }
+  let(:user) { Fabricate(:user) }
+
+  describe "create_confirmation" do
+    it "raises an error for non-admins" do
+      ac = AdminConfirmation.new(user, Fabricate(:moderator))
+      expect { ac.create_confirmation }.to raise_error(Discourse::InvalidAccess)
+    end
+  end
+
+  describe "email_confirmed!" do
+    before do
+      ac = AdminConfirmation.new(user, admin)
+      ac.create_confirmation
+      @token = ac.token
+    end
+
+    it "cannot confirm if the user loses admin access" do
+      ac = AdminConfirmation.find_by_code(@token)
+      ac.performed_by.update_column(:admin, false)
+      expect { ac.email_confirmed! }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    it "can confirm admin accounts" do
+      ac = AdminConfirmation.find_by_code(@token)
+      expect(ac.performed_by).to eq(admin)
+      expect(ac.target_user).to eq(user)
+      expect(ac.token).to eq(@token)
+      ac.email_confirmed!
+
+      user.reload
+      expect(user.admin?).to eq(true)
+
+      # It creates a staff log
+      logs = UserHistory.where(
+        action: UserHistory.actions[:grant_admin],
+        target_user_id: user.id
+      )
+      expect(logs).to be_present
+
+      # It removes the redis keys for another user
+      expect(AdminConfirmation.find_by_code(ac.token)).to eq(nil)
+      expect(AdminConfirmation.exists_for?(user.id)).to eq(false)
+    end
+
+  end
+
+end
+