From 6fff92e984c8977bb1b8d5424e8b81796e2ccb07 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Wed, 9 Oct 2013 15:26:30 +0300
Subject: Enable confirmable and reconfirmable modules for User

Now when you want to signup or change existing email you will be forced
to confirm that you really own this email. You get email with link to
follow in order to confirm your email address

Conflicts:
	app/models/user.rb
---
 app/models/user.rb                                    |  4 ++--
 config/initializers/devise.rb                         |  2 ++
 db/migrate/20131009115346_add_confirmable_to_users.rb | 15 +++++++++++++++
 db/schema.rb                                          |  7 ++++++-
 4 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 db/migrate/20131009115346_add_confirmable_to_users.rb

diff --git a/app/models/user.rb b/app/models/user.rb
index 29c53b88331..22292de40a6 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -43,7 +43,7 @@ require 'file_size_validator'
 
 class User < ActiveRecord::Base
   devise :database_authenticatable, :token_authenticatable, :lockable, :async,
-         :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :registerable
+         :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
 
   attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
                   :skype, :linkedin, :twitter, :color_scheme_id, :theme_id, :force_random_password,
@@ -398,4 +398,4 @@ class User < ActiveRecord::Base
 
     self
   end
-end
\ No newline at end of file
+end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 39c1b7c235b..b7cb808d2e5 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -54,6 +54,8 @@ Devise.setup do |config|
   # The realm used in Http Basic Authentication. "Application" by default.
   # config.http_authentication_realm = "Application"
 
+  config.reconfirmable = true
+
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
diff --git a/db/migrate/20131009115346_add_confirmable_to_users.rb b/db/migrate/20131009115346_add_confirmable_to_users.rb
new file mode 100644
index 00000000000..249cbe704ed
--- /dev/null
+++ b/db/migrate/20131009115346_add_confirmable_to_users.rb
@@ -0,0 +1,15 @@
+class AddConfirmableToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :confirmation_token, :string
+    add_column :users, :confirmed_at, :datetime
+    add_column :users, :confirmation_sent_at, :datetime
+    add_column :users, :unconfirmed_email, :string
+    add_index :users, :confirmation_token, unique: true
+    User.update_all(confirmed_at: Time.now)
+  end
+
+  def self.down
+    remove_column :users, :confirmation_token, :confirmed_at, :confirmation_sent_at
+    remove_column :users, :unconfirmed_email
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index b3bc31c76dd..d6acb2f90e9 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20131005191208) do
+ActiveRecord::Schema.define(:version => 20131009115346) do
 
   create_table "deploy_keys_projects", :force => true do |t|
     t.integer  "deploy_key_id", :null => false
@@ -284,10 +284,15 @@ ActiveRecord::Schema.define(:version => 20131005191208) do
     t.datetime "password_expires_at"
     t.integer  "created_by_id"
     t.string   "avatar"
+    t.string   "confirmation_token"
+    t.datetime "confirmed_at"
+    t.datetime "confirmation_sent_at"
+    t.string   "unconfirmed_email"
   end
 
   add_index "users", ["admin"], :name => "index_users_on_admin"
   add_index "users", ["authentication_token"], :name => "index_users_on_authentication_token", :unique => true
+  add_index "users", ["confirmation_token"], :name => "index_users_on_confirmation_token", :unique => true
   add_index "users", ["email"], :name => "index_users_on_email", :unique => true
   add_index "users", ["extern_uid", "provider"], :name => "index_users_on_extern_uid_and_provider", :unique => true
   add_index "users", ["name"], :name => "index_users_on_name"
-- 
cgit v1.2.1


From 2e8b0fa5cf9e70c55bd1dbb254db3f9aa45b23e9 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Tue, 15 Oct 2013 09:59:58 +0300
Subject: Oauth users and users created by admin should be confirmed immediatly

---
 app/controllers/admin/users_controller.rb | 1 +
 lib/gitlab/oauth/user.rb                  | 1 +
 spec/factories.rb                         | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 70bbe306562..076c5f0ba58 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -47,6 +47,7 @@ class Admin::UsersController < Admin::ApplicationController
     @user = User.build_user(params[:user].merge(opts), as: :admin)
     @user.admin = (admin && admin.to_i > 0)
     @user.created_by_id = current_user.id
+    @user.confirm!
 
     respond_to do |format|
       if @user.save
diff --git a/lib/gitlab/oauth/user.rb b/lib/gitlab/oauth/user.rb
index 1b32b99f4ba..ea9badba2c3 100644
--- a/lib/gitlab/oauth/user.rb
+++ b/lib/gitlab/oauth/user.rb
@@ -29,6 +29,7 @@ module Gitlab
 
           user = model.build_user(opts, as: :admin)
           user.save!
+          user.confirm!
           log.info "(OAuth) Creating user #{email} from login with extern_uid => #{uid}"
 
           if Gitlab.config.omniauth['block_auto_created_users'] && !ldap?
diff --git a/spec/factories.rb b/spec/factories.rb
index 56561fe4595..91ef5086a9e 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -23,6 +23,10 @@ FactoryGirl.define do
     end
 
     factory :admin, traits: [:admin]
+
+    after :create do |u|
+      u.confirm!
+    end
   end
 
   factory :project do
-- 
cgit v1.2.1


From 01186f9fc6f5f5645ea5406ce571f83db0dc080a Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Tue, 15 Oct 2013 11:19:19 +0300
Subject: Show confirmation status in profile

---
 CHANGELOG                                 | 2 ++
 app/controllers/admin/users_controller.rb | 1 +
 app/views/profiles/show.html.haml         | 7 ++++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 58d2bfa63e8..75141fe914f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,8 @@ v 6.2.0
   - Avatar upload on profile page with a maximum of 200KB (Steven Thonus)
   - Store the sessions in Redis instead of the cookie store
   - Fixed relative links in markdown
+  - User must confirm his email if signup enabled
+  - User must confirm changed email 
 
 v 6.1.0
   - Project specific IDs for issues, mr, milestones
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 076c5f0ba58..dccbfa2f709 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -72,6 +72,7 @@ class Admin::UsersController < Admin::ApplicationController
 
     respond_to do |format|
       if user.update_attributes(params[:user], as: :admin)
+        user.confirm!
         format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
         format.json { head :ok }
       else
diff --git a/app/views/profiles/show.html.haml b/app/views/profiles/show.html.haml
index ada2892c6ba..2dce690c8dd 100644
--- a/app/views/profiles/show.html.haml
+++ b/app/views/profiles/show.html.haml
@@ -25,7 +25,12 @@
         = f.label :email, class: "control-label"
         .controls
           = f.text_field :email, class: "input-xlarge", required: true
-          %span.help-block We also use email for avatar detection if no avatar is uploaded.
+          - if @user.unconfirmed_email.present?
+            %span.help-block
+              We sent confirmation email to
+              %strong #{@user.unconfirmed_email}
+          - else
+            %span.help-block We also use email for avatar detection if no avatar is uploaded.
       .control-group
         = f.label :skype, class: "control-label"
         .controls= f.text_field :skype, class: "input-xlarge"
-- 
cgit v1.2.1


From f4d68f398f2ed176df97a9870f5d634bd5c06e0c Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Tue, 15 Oct 2013 11:29:22 +0300
Subject: set current_user for project spec

---
 spec/models/project_spec.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index dcaee39fa68..c7266007999 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -27,8 +27,14 @@
 require 'spec_helper'
 
 describe Project do
-  before(:each) { enable_observers }
-  after(:each) { disable_observers }
+  let(:user) { create(:user) }
+
+  before do
+    enable_observers
+    Thread.current[:current_user] = user
+  end
+
+  after  { disable_observers }
 
   describe "Associations" do
     it { should belong_to(:group) }
-- 
cgit v1.2.1