github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 06:28:04 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: When admin changes staff email still enforce old email confirm (#9007)

Browse Source 
A follow-up correction to this change https://github.com/discourse/discourse/pull/9001.

When admin changes staff email still enforce old email confirm. Only allow auto-confirm of a new email by admin IF the target user is not also an admin. If an admin gets locked out of their email the site admin can use the rails console to solve the issue in a pinch.
This commit is contained in:
Martin Brennan
2020-02-20 13:42:57 +10:00
committed by GitHub
parent 5dc6100acc
commit 254b57c812
2 changed files with 28 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/email_updater.rb
View File

@ -15,7 +15,7 @@ class EmailUpdater
User.human_attribute_name(name, options)
end
def authorize_both?
def changing_staff_user_email?
@user.staff?
end
@ -44,7 +44,7 @@ class EmailUpdater
args, email_token = prepare_change_request(args)
@user.email_change_requests.create!(args)
if initiating_admin_changing_another_user_email?
if initiating_admin_changing_another_user_email? && !changing_staff_user_email?
auto_confirm_and_send_password_reset(email_token)
return
end
@ -115,20 +115,22 @@ class EmailUpdater
email_token: email_token.token
end
# regular users or changes requested by admin are always
# authorizing new only (as long as they are not changing their
# own email!)
#
# however even if an admin requests an email change for another
# admin the other admin must always confirm their old email
def prepare_change_request(args)
# regular users or changes requested by admin are always
# authorizing new only (as long as they are not changing their
# own email!)
if !authorize_both? || initiating_admin_changing_another_user_email?
args[:change_state] = EmailChangeRequest.states[:authorizing_new]
email_token = @user.email_tokens.create!(email: args[:new_email])
args[:new_email_token] = email_token
else
if changing_staff_user_email?
args[:change_state] = EmailChangeRequest.states[:authorizing_old]
email_token = @user.email_tokens.create!(email: args[:old_email])
args[:old_email_token] = email_token
else
args[:change_state] = EmailChangeRequest.states[:authorizing_new]
email_token = @user.email_tokens.create!(email: args[:new_email])
args[:new_email_token] = email_token
end
[args, email_token]
end