diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index ca3dba24266..346cf4d8bfe 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -351,6 +351,11 @@ class UsersController < ApplicationController authentication.start + if authentication.email_valid? && !authentication.authenticated? + # posted email is different that the already validated one? + return fail_with('login.incorrect_username_email_or_password') + end + activation = UserActivator.new(user, request, session, cookies) activation.start diff --git a/app/services/user_authenticator.rb b/app/services/user_authenticator.rb index 4019fefeadc..cd75e931220 100644 --- a/app/services/user_authenticator.rb +++ b/app/services/user_authenticator.rb @@ -25,12 +25,16 @@ class UserAuthenticator @session = nil end - private + def email_valid? + @session && @session[:email_valid] + end def authenticated? @session && @session[:email] == @user.email && @session[:email_valid] end + private + def authenticator if authenticator_name @authenticator ||= @authenticator_finder.find_authenticator(authenticator_name) diff --git a/lib/auth/google_oauth2_authenticator.rb b/lib/auth/google_oauth2_authenticator.rb index 385aa921481..310f2ab9e93 100644 --- a/lib/auth/google_oauth2_authenticator.rb +++ b/lib/auth/google_oauth2_authenticator.rb @@ -31,7 +31,7 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator def after_create_account(user, auth) data = auth[:extra_data] GoogleUserInfo.create({ user_id: user.id }.merge(data)) - if auth[:email_valid].to_s == 'true' + if auth[:email_valid].to_s == 'true' && data[:email]&.downcase == user.email EmailToken.confirm(user.email_tokens.first.token) user.set_automatic_groups end diff --git a/spec/components/auth/google_oauth2_authenticator_spec.rb b/spec/components/auth/google_oauth2_authenticator_spec.rb index dc0a6d29b2d..e3af7278baf 100644 --- a/spec/components/auth/google_oauth2_authenticator_spec.rb +++ b/spec/components/auth/google_oauth2_authenticator_spec.rb @@ -85,16 +85,31 @@ describe Auth::GoogleOAuth2Authenticator do context 'after_create_account' do it 'confirms email' do authenticator = Auth::GoogleOAuth2Authenticator.new - user = Fabricate(:user) + user = Fabricate(:user, email: 'realgoogleuser@gmail.com') session = { email_valid: "true", extra_data: { - google_user_id: 1 + google_user_id: 1, + email: 'realgoogleuser@gmail.com' } } authenticator.after_create_account(user, session) expect(user.email_confirmed?).to eq(true) end + + it "doesn't confirm email if it was changed" do + authenticator = Auth::GoogleOAuth2Authenticator.new + user = Fabricate(:user, email: 'changed@gmail.com') + session = { + email_valid: "true", + extra_data: { + google_user_id: 1, + email: 'realgoogleuser@gmail.com' + } + } + authenticator.after_create_account(user, session) + expect(user.email_confirmed?).to eq(false) + end end end diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 258d788f9ba..03490e1b08f 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -809,6 +809,24 @@ describe UsersController do expect(TwitterUserInfo.count).to eq(1) end end + + it "returns an error when email has been changed from the validated email address" do + auth = session[:authentication] = {} + auth[:email_valid] = 'true' + auth[:email] = 'therealone@gmail.com' + post_user + json = JSON.parse(response.body) + expect(json['success']).to eq(false) + expect(json['message']).to be_present + end + + it "will create the user successfully if email validation is required" do + auth = session[:authentication] = {} + auth[:email] = post_user_params[:email] + post_user + json = JSON.parse(response.body) + expect(json['success']).to eq(true) + end end context 'after success' do