Merge branch '219558-improve-confirmation-email-language' into 'master'

Use existing-user language in reconfirmation email Closes #219558 See merge request gitlab-org/gitlab!36634

Merge branch '219558-improve-confirmation-email-language' into 'master'
Use existing-user language in reconfirmation email Closes #219558 See merge request gitlab-org/gitlab!36634
fa9991a0 · Michael Kozono · 1db5cdee · 70868745 · fa9991a0 · fa9991a0
Commit fa9991a0 authored Jul 14, 2020 by Michael Kozono
5 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1697,6 +1697,10 @@ class User < ApplicationRecord
    impersonator.present?
  end

+  def created_recently?
+    created_at > Devise.confirm_within.ago
+  end
+
  protected

  # override, from Devise::Validatable

--- a/app/views/devise/mailer/_confirmation_instructions_account.html.haml
+++ b/app/views/devise/mailer/_confirmation_instructions_account.html.haml
 - confirmation_link = confirmation_url(@resource, confirmation_token: @token)
- if @resource.unconfirmed_email.present?
+- if @resource.unconfirmed_email.present? || !@resource.created_recently?
  #content
-    = email_default_heading(@resource.unconfirmed_email)
+    = email_default_heading(@resource.unconfirmed_email || @resource.email)
    %p Click the link below to confirm your email address.
    #cta
      = link_to 'Confirm your email address', confirmation_link

--- a/app/views/devise/mailer/_confirmation_instructions_account.text.erb
+++ b/app/views/devise/mailer/_confirmation_instructions_account.text.erb
-<% if @resource.unconfirmed_email.present? %>
-<%= @resource.unconfirmed_email %>,
-
+<% if @resource.unconfirmed_email.present? || !@resource.created_recently? %>
+<%= @resource.unconfirmed_email || @resource.email %>,
 Use the link below to confirm your email address.
 <% else %>
  <% if Gitlab.com? %>

--- a/changelogs/unreleased/219558-improve-confirmation-email-language.yml
+++ b/changelogs/unreleased/219558-improve-confirmation-email-language.yml
+---
+title: Replace misleading text in re-confirmation emails
+merge_request: 36634
+author:
+type: security
--- a/spec/mailers/devise_mailer_spec.rb
+++ b/spec/mailers/devise_mailer_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'email_spec'
+
+RSpec.describe DeviseMailer do
+  describe "#confirmation_instructions" do
+    subject { described_class.confirmation_instructions(user, 'faketoken', {}) }
+
+    context "when confirming the unconfirmed_email" do
+      let(:user) { build(:user, unconfirmed_email: 'jdoe@example.com') }
+
+      it "shows the unconfirmed_email" do
+        expect(subject.body.encoded).to have_text user.unconfirmed_email
+        expect(subject.body.encoded).not_to have_text user.email
+      end
+    end
+
+    context "when re-confirming the primary email after a security issue" do
+      let(:user) { build(:user, created_at: 10.days.ago, unconfirmed_email: nil) }
+
+      it "shows the primary email" do
+        expect(subject.body.encoded).to have_text user.email
+      end
+    end
+  end
+end