Previously when changing back to the same email (ie. change to new
email, then change back again) we can easily end up showing the
incorrect old email if changing back to the same email more than once.
Then passing the incorrect old email causes an error as it can't be found.
This happens because we only searched for a combination of `user_id` and
`new_email` which can load an older change from the database. By using
the current email address when finding / initializing the
`EmailChangeRequest` we can prevent this issue as we will be creating a
new entry rather than loading an outdated one.
We're changing the default of hide_email_address_taken to true. This is a trade-off we want to make, as it prevents account enumeration with minimal impact on legitimate users. If you forget you have an account and try to sign up again with the same e-mail you'll receive an e-mail letting you know.
By default, only staff members have to confirm their old email when
changing it. This commit adds a site setting that when enabled will
always ask the user to confirm old email.
It's very easy to forget to add `require 'rails_helper'` at the top of every core/plugin spec file, and omissions can cause some very confusing/sporadic errors.
By setting this flag in `.rspec`, we can remove the need for `require 'rails_helper'` entirely.
