Send email to current email address on request to update email

This would ensure unintended email address update don't go unnoticed.

app/controllers/email_confirmations_controller.rb

@@ -29,7 +29,7 @@ def create
   # used to resend confirmation mail for unconfirmed_email validation
   def unconfirmed
     if current_user.generate_confirmation_token && current_user.save
-      Mailer.delay.email_reset(current_user)
+      Mailer.delay.email_reset(current_user.id)
       flash[:notice] = t("profiles.update.confirmation_mail_sent")
     else
       flash[:notice] = t("try_again")

app/controllers/profiles_controller.rb

@@ -18,7 +18,7 @@ def update
     @user = current_user.clone
     if @user.update(params_user)
       if @user.unconfirmed_email
-        Mailer.delay.email_reset(current_user)
+        send_email_reset_mails
         flash[:notice] = t(".confirmation_mail_sent")
       else
         flash[:notice] = t(".updated")
@@ -58,4 +58,9 @@ def set_cache_headers
     response.headers["Pragma"] = "no-cache"
     response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
   end
+
+  def send_email_reset_mails
+    Mailer.delay.email_reset_update(current_user.id)
+    Mailer.delay.email_reset(current_user.id)
+  end
 end

app/mailers/mailer.rb

@@ -6,13 +6,19 @@ class Mailer < ApplicationMailer
   default_url_options[:host] = Gemcutter::HOST
   default_url_options[:protocol] = Gemcutter::PROTOCOL
 
-  def email_reset(user)
-    @user = User.find(user["id"])
+  def email_reset(user_id)
+    @user = User.find(user_id)
     mail to: @user.unconfirmed_email,
          subject: I18n.t("mailer.confirmation_subject",
            default: "Please confirm your email address with RubyGems.org")
   end
 
+  def email_reset_update(user_id)
+    @user = User.find(user_id)
+    mail to: @user.email,
+         subject: I18n.t("mailer.email_reset_update.subject")
+  end
+
   def email_confirmation(user)
     @user = User.find(user["id"])
     mail to: @user.email,

app/views/mailer/email_reset_update.erb

@@ -0,0 +1,45 @@
+<% @title = t(".title") %>
+<% @sub_title = "Hi #{@user.handle}" %>
+
+<!-- Body -->
+<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#ffffff">
+  <tr>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+    <td>
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+      <div class="h3-1-center" style="color:#1e1e1e; font-family:Georgia, serif; min-width:auto !important; font-size:20px; line-height:26px;">
+        <p>
+          You have requested email update on RubyGems.org. Once you click on confirmation link sent to your new email address, your account will be disassociated from
+          <%= @user.email %>.
+        </p>
+        <p>
+          New email address: <strong><%= @user.unconfirmed_email %></strong>
+        </p>
+        <br/>
+        <p>If this email update is expected, you do not need to take further action.</p>
+        <p>
+          <strong>Only if this email update is unexpected</strong>
+          please take immediate steps to secure your account and gems:
+        </p>
+        <ol>
+          <li>If you suspect your account was compromised:
+            <ul>
+              <li><%= link_to("Change your password", new_password_url) %></li>
+              <li><%= link_to("Reset your API key", edit_profile_url) %></li>
+              <li><%= link_to("Enable multifactor authentication", edit_profile_url) %></li>
+            </ul>
+          </li>
+          <li><%= link_to("Report this", page_url("security")) %> incident to RubyGems.org</li>
+        </ol>
+      </div>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="30" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+    </td>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+  </tr>
+</table>
+<!-- END Body -->

config/locales/de.yml

@@ -140,6 +140,9 @@ de:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title:
@@ -340,7 +343,7 @@ de:
       resend_confirmation:
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded: Am meisten Heruntergeladen in der gesamten Zeit
       total_downloads: Downloads insgesamt
       total_gems: Gems insgesamt

config/locales/en.yml

@@ -148,6 +148,9 @@ en:
     gem_pushed:
       subject: Gem %{gem} pushed to RubyGems.org
       title: GEM PUSHED
+    email_reset_update:
+      subject: You have requested email address update on RubyGems.org
+      title: EMAIL UPDATE REQUESTED
   news:
     show:
       title: New Releases — All Gems

config/locales/es.yml

@@ -148,6 +148,9 @@ es:
     gem_pushed:
       subject: Gema %{gem} subida a RubyGems.org
       title: GEMA SUBIDA
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: Nuevos lanzamientos — Todas las Gemas
@@ -350,7 +353,7 @@ es:
       resend_confirmation: ¿No recibiste tu correo electrónico de confirmación?
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded: Más descargadas
       total_downloads: Total de descargas
       total_gems: Gemas totales

config/locales/fr.yml

@@ -140,6 +140,9 @@ fr:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: Nouvelles Versions - Toutes les Gems
@@ -340,7 +343,7 @@ fr:
       resend_confirmation: Vous n'avez pas reçu l'email de confirmation ?
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded: Gems les plus téléchargés
       total_downloads: Total de téléchargements
       total_gems: Total de gems

config/locales/ja.yml

@@ -140,6 +140,9 @@ ja:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: 新しくリリースされたGem
@@ -340,7 +343,7 @@ ja:
       resend_confirmation: 確認メールが見当たりませんか?
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded: 累計最多ダウンロード数
       total_downloads: 累計ダウンロード数
       total_gems: Gem総数

config/locales/nl.yml

@@ -140,6 +140,9 @@ nl:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title:
@@ -340,7 +343,7 @@ nl:
       resend_confirmation: Geen bevestigingsemail ontvangen?
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded:
       total_downloads:
       total_gems:

config/locales/pt-BR.yml

@@ -140,6 +140,9 @@ pt-BR:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: Novos Releases - Todas as Gems

config/locales/zh-CN.yml

@@ -140,6 +140,9 @@ zh-CN:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: 全部新发布 Gems
@@ -340,7 +343,7 @@ zh-CN:
       resend_confirmation: 没有收到确认邮件？
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded: 历史下载次数排行
       total_downloads: 下载总次数
       total_gems: Gems 总数

config/locales/zh-TW.yml

@@ -140,6 +140,9 @@ zh-TW:
     gem_pushed:
       subject:
       title:
+    email_reset_update:
+      subject:
+      title:
   news:
     show:
       title: 最新發佈
@@ -340,7 +343,7 @@ zh-TW:
       resend_confirmation: 沒收到確認信？
   stats:
     index:
-      title: 
+      title:
       all_time_most_downloaded: 歷史下載次數排行
       total_downloads: 總下載次數
       total_gems: Gems 總數

test/functional/profiles_controller_test.rb

@@ -165,6 +165,33 @@ class ProfilesControllerTest < ActionController::TestCase
           refute_equal "cannotchange@tothis.com", @user.unconfirmed_email
         end
       end
+
+      context "updating email" do
+        setup do
+          @current_email = "john@doe.com"
+          @user = create(:user, email: @current_email)
+          sign_in_as(@user)
+          @new_email = "change@tothis.com"
+        end
+
+        should "set unconfirmed email and confirmation token" do
+          put :update, params: { user: { email: @new_email, password: @user.password } }
+          assert_equal @new_email, @user.unconfirmed_email
+          assert @user.confirmation_token
+        end
+
+        should "not update email" do
+          put :update, params: { user: { email: @new_email, password: @user.password } }
+          assert_equal @current_email, @user.email
+        end
+
+        should "send email reset mails to new and current email addresses" do
+          Mailer.expects(:email_reset).times(1)
+          Mailer.expects(:email_reset_update).times(1)
+          put :update, params: { user: { email: @new_email, password: @user.password } }
+          Delayed::Worker.new.work_off
+        end
+      end
     end
     context "on DELETE to destroy" do
       context "correct password" do

test/mailers/previews/mailer_preview.rb

@@ -1,6 +1,10 @@
 class MailerPreview < ActionMailer::Preview
   def email_reset
-    Mailer.email_reset(User.last)
+    Mailer.email_reset(User.last.id)
+  end
+
+  def email_reset_update
+    Mailer.email_reset_update(User.last.id)
   end
 
   def email_confirmation