SECURITY: Only allow users to resend activation email with a valid session.

* Improve error when an active user tries to request for an activation email.

spec/controllers/users_controller_spec.rb

@@ -1403,10 +1403,29 @@ describe UsersController do
     context 'for an existing user' do
       let(:user) { Fabricate(:user, active: false) }
 
+      context 'for an activated account' do
+        it 'fails' do
+          active_user = Fabricate(:user, active: true)
+          session[SessionController::ACTIVATE_USER_KEY] = active_user.username
+          xhr :post, :send_activation_email, username: active_user.username
+
+          expect(response.status).to eq(409)
+
+          expect(JSON.parse(response.body)['errors']).to include(I18n.t(
+            'activation.activated'
+          ))
+
+          expect(session[SessionController::ACTIVATE_USER_KEY]).to eq(nil)
+        end
+      end
+
       context 'with a valid email_token' do
         it 'should send the activation email' do
+          session["activate_user"] = user.username
           Jobs.expects(:enqueue).with(:critical_user_email, has_entries(type: :signup))
           xhr :post, :send_activation_email, username: user.username
+
+          expect(session[SessionController::ACTIVATE_USER_KEY]).to eq(nil)
         end
       end
 
@@ -1418,13 +1437,17 @@ describe UsersController do
 
         it 'should generate a new token' do
           expect {
+            session["activate_user"] = user.username
             xhr :post, :send_activation_email, username: user.username
           }.to change{ user.email_tokens(true).count }.by(1)
         end
 
         it 'should send an email' do
+          session["activate_user"] = user.username
           Jobs.expects(:enqueue).with(:critical_user_email, has_entries(type: :signup))
           xhr :post, :send_activation_email, username: user.username
+
+          expect(session[SessionController::ACTIVATE_USER_KEY]).to eq(nil)
         end
       end
     end