New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Send email to current email address on request to update email #2392
Conversation
2cebec9
to
141dad5
Compare
app/mailers/mailer.rb
Outdated
def email_reset_update(user_id) | ||
@user = User.find(user_id) | ||
mail to: @user.email, | ||
subject: "You have requested email address update on RubyGems.org" |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
@@ -0,0 +1,45 @@ | |||
<% @title = "Email update requested" %> | |||
<% @sub_title = "Hi #{@user.handle}" %> |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
141dad5
to
375863b
Compare
375863b
to
054fe56
Compare
@@ -18,7 +18,7 @@ def update | |||
@user = current_user.clone | |||
if @user.update(params_user) | |||
if @user.unconfirmed_email | |||
Mailer.delay.email_reset(current_user) | |||
send_email_reset_mails |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
end | ||
|
||
should "not update email" do | ||
put :update, params: { user: { email: @new_email, password: @user.password } } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there some missing context around this test? Is this testing that an email cannot be updated again unless the first email update is verified?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so, when user updates his email address we don't update email
column until the user clicks on confirmation link sent to the new "unconfirmed_email. I have updated this to
should "not update the current email" do`. Let me know if you have a better idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea is great, but it seems like this test is depending on state being set by the test above. We want to avoid that as much as possible and set the correct state inside the current test.
We should also wrap a context
block of when the user has updated but yet verified the email
or something to help improve readability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this test is depending on state being set by the test above
I disagree. should not update email
only depends on setup
and put :update
action, not any other tests. Please explain why do feel this way and we can fix it.
IMHO, testing big picture things like how is this related to the user not clicking on confirmation mail after updating email goes in integration tests (which we have added).
I have wrapped this in context "yet to verify the updated email" do
since you suggested this improved reliability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok I think I understand what's happening now, the user email is not verified by default in the User model. Can we add email_confirmed: false
into the create
stub so just make it more easier to understand?
👍 for everything else
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the user email is not verified by default in the User model.
I think you are talking about initial state of user creation[1]. This test is for context "updating email"
(equivalent integration test would be updating email from profile edit form). When the user updates his email, we set unconfirmed_email
column using this hook and not update email
column right away. I am adding a test for that. The existing email
(one before update) stays confirmed (email_confirmed
does not change).
[1] email_confirmed is not relevant for this test but just so you know although the user model has email_confirmed
set to false by default, in factory we use email_confirmed: true
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, please just ignore me and merge this, I'm not following but thanks for your efforts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Allow me to explain one more time. Following are two processes related to email confirmation:
- user signs up
- set `email`, confirmation_token, expiry and email_confirmed (value false)
- when the user clicks on confirmation URL update `email_confirmed` to true
- user updates email from the profile edit page
- set `unconfirmed_email`, confirmation_token, expiry
- when the user clicks on confirmation URL update `email` with `unconfirmed_email`
Two processes are not the same (or using same columns) as in sign up we don't allow users to sign in unless email_confirmed
is true. In the email update process, users can sign in using old email (which was already confirmed) until they verify their new email.
Feel free to message on slack if you have any questions or clarification.
36a8012
to
b308fb3
Compare
0b3f58b
to
037ff89
Compare
This would ensure unintended email address update don't go unnoticed.
037ff89
to
c4fa27e
Compare
This would ensure unintended email address update don't go unnoticed.