demarches-normaliennes/app/controllers/users/profil_controller.rb

module Users
  class ProfilController < UserController
    def show
      @waiting_transfers = current_user.dossiers.joins(:transfer).group('dossier_transfers.email').count.to_a
    end

    def renew_api_token
      @token = current_administrateur.renew_api_token
      flash.now.notice = 'Votre jeton a été regénéré.'
      render :show
    end

    def update_email
      if current_user.instructeur? && !target_email_allowed?
        flash.alert = t('.email_not_allowed', contact_email: CONTACT_EMAIL, requested_email: requested_email)
      elsif current_user.update(update_email_params)
        flash.notice = t('devise.registrations.update_needs_confirmation')
      elsif current_user.errors&.details&.dig(:email)&.any? { |e| e[:error] == :taken }
        UserMailer.account_already_taken(current_user, requested_email).deliver_later
        # avoid leaking information about whether an account with this email exists or not
        flash.notice = t('devise.registrations.update_needs_confirmation')
      else
        flash.alert = current_user.errors.full_messages
      end

      redirect_to profil_path
    end

    def transfer_all_dossiers
      DossierTransfer.initiate(next_owner_email, current_user.dossiers)
      flash.notice = t('.new_transfer', count: current_user.dossiers.count, email: next_owner_email)
      redirect_to profil_path
    end

    private

    def update_email_params
      params.require(:user).permit(:email)
    end

    def requested_email
      update_email_params[:email]
    end

    def target_email_allowed?
      LEGIT_ADMIN_DOMAINS.any? { |d| requested_email.end_with?(d) }
    end

    def next_owner_email
      params[:next_owner]
    end
  end
end