From d0ab1711ff214b88d8e79e9a6b1f17aefb3e7d75 Mon Sep 17 00:00:00 2001
From: Martin <martin@sharypic.com>
Date: Thu, 23 Dec 2021 14:54:37 +0100
Subject: [PATCH] fix(profil_controller#update_email): ensure we are not
 merging same account
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix(profil_controller#update_email): changing email from current_user.email to current_user.email destroy current user. whoops ☠️'

Update config/locales/en.yml

Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr>

Update config/locales/fr.yml

Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr>

Update spec/controllers/users/profil_controller_spec.rb

Update config/locales/fr.yml

Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr>

Update spec/controllers/users/profil_controller_spec.rb

fix(spec): broken due to typo
---
 app/controllers/users/profil_controller.rb       |  4 +---
 app/models/user.rb                               | 15 +++++++++++++--
 config/locales/en.yml                            | 11 ++++++++++-
 config/locales/fr.yml                            |  3 +++
 spec/controllers/users/profil_controller_spec.rb | 10 +++++++++-
 5 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/app/controllers/users/profil_controller.rb b/app/controllers/users/profil_controller.rb
index 15bcf0d49..fced4cd88 100644
--- a/app/controllers/users/profil_controller.rb
+++ b/app/controllers/users/profil_controller.rb
@@ -14,9 +14,7 @@ module Users
 
     def update_email
       requested_user = User.find_by(email: requested_email)
-
-      if requested_user.present?
-        current_user.ask_for_merge(requested_user)
+      if requested_user.present? && current_user.ask_for_merge(requested_user)
         current_user.update(unconfirmed_email: nil)
 
         flash.notice = t('devise.registrations.update_needs_confirmation')
diff --git a/app/models/user.rb b/app/models/user.rb
index dde05f08c..0e88dba7e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -63,6 +63,8 @@ class User < ApplicationRecord
 
   before_validation -> { sanitize_email(:email) }
 
+  validate :does_not_merge_on_self, if: :requested_merge_into_id_changed?
+
   def validate_password_complexity?
     administrateur?
   end
@@ -223,12 +225,21 @@ class User < ApplicationRecord
   end
 
   def ask_for_merge(requested_user)
-    update(requested_merge_into: requested_user)
-    UserMailer.ask_for_merge(self, requested_user.email).deliver_later
+    if update(requested_merge_into: requested_user)
+      UserMailer.ask_for_merge(self, requested_user.email).deliver_later
+      return true
+    else
+      return false
+    end
   end
 
   private
 
+  def does_not_merge_on_self
+    return if requested_merge_into_id != self.id
+    errors.add(:requested_merge_into, :same)
+  end
+
   def link_invites!
     Invite.where(email: email).update_all(user_id: id)
   end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 36af0d550..a26db6af1 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -244,9 +244,16 @@ en:
         one: User
         other: Users
     attributes:
+      default_attributes: &default_attributes
+        password: 'password'
+        requested_merge_into: 'new email address'
       user:
         siret: 'SIRET number'
-        password: 'password'
+        << : *default_attributes
+      instructeur:
+        << : *default_attributes
+      super_admin:
+        << : *default_attributes
       instructeur:
         password: 'password'
     errors:
@@ -268,6 +275,8 @@ en:
               too_short: 'is too short'
             password_confirmation:
               confirmation: ': The two passwords do not match'
+            requested_merge_into:
+              same: "can't be the same as the old one"
         invite:
           attributes:
             email:
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
index 73d8381f8..0f2b4b81c 100644
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -244,6 +244,7 @@ fr:
     attributes:
       default_attributes: &default_attributes
         password: 'Le mot de passe'
+        requested_merge_into: 'La nouvelle adresse email'
       user:
         siret: 'Numéro SIRET'
         << : *default_attributes
@@ -273,6 +274,8 @@ fr:
               not_strong: 'n’est pas assez complexe'
             password_confirmation:
               confirmation: ': Les deux mots de passe ne correspondent pas'
+            requested_merge_into:
+              same: "ne peut être identique à l’ancienne"
         invite:
           attributes:
             email:
diff --git a/spec/controllers/users/profil_controller_spec.rb b/spec/controllers/users/profil_controller_spec.rb
index 6e3bd3779..6bc1771a3 100644
--- a/spec/controllers/users/profil_controller_spec.rb
+++ b/spec/controllers/users/profil_controller_spec.rb
@@ -48,6 +48,14 @@ describe Users::ProfilController, type: :controller do
   end
 
   describe 'PATCH #update_email' do
+    context 'when email is same as user' do
+      it 'fails' do
+        patch :update_email, params: { user: { email: user.email } }
+        expect(response).to have_http_status(302)
+        expect(flash[:alert]).to eq(["La nouvelle adresse email ne peut être identique à l’ancienne"])
+      end
+    end
+
     context 'when everything is fine' do
       let(:previous_request) { create(:user) }
 
@@ -69,7 +77,7 @@ describe Users::ProfilController, type: :controller do
       before do
         user.update(unconfirmed_email: 'unconfirmed@mail.com')
 
-        expect_any_instance_of(User).to receive(:ask_for_merge).with(existing_user)
+        expect(UserMailer).to receive(:ask_for_merge).with(user, existing_user.email).and_return(double(deliver_later: true))
 
         perform_enqueued_jobs do
           patch :update_email, params: { user: { email: existing_user.email } }