9 files changed, 133 insertions, 26 deletions

diff --git a/app/controllers/application.rb b/app/controllers/application.rb
index fb56497f4..cf5ca0db8 100644
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -6,7 +6,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: application.rb,v 1.22 2007-11-01 14:45:56 francis Exp $
+# $Id: application.rb,v 1.23 2007-11-05 16:46:10 francis Exp $
 
 
 class ApplicationController < ActionController::Base
@@ -19,9 +19,10 @@ class ApplicationController < ActionController::Base
     private
 
     # Check the user is logged in
-    def authenticated?
+    def authenticated?(reason_params)
         unless session[:user]
-            post_redirect = PostRedirect.new(:uri => request.request_uri, :post_params => params)
+            post_redirect = PostRedirect.new(:uri => request.request_uri, :post_params => params,
+                :reason_params => reason_params)
             post_redirect.save!
             redirect_to signin_url(:token => post_redirect.token)
             return false
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index b1c27ecb6..c13ec45eb 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -4,7 +4,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: request_controller.rb,v 1.11 2007-11-01 05:44:43 francis Exp $
+# $Id: request_controller.rb,v 1.12 2007-11-05 16:46:10 francis Exp $
 
 class RequestController < ApplicationController
     
@@ -41,7 +41,11 @@ class RequestController < ApplicationController
         # This automatically saves dependent objects, such as @info_request, in the same transaction
         if not @info_request.valid?
             render :action => 'new'
-        elsif authenticated?
+        elsif authenticated?(
+                :web => "To send your FOI request, please log in or make a new account.",
+                :email => "Then your FOI request to " + @info_request.public_body.name + " will be sent.",
+                :email_subject => "Confirm that you want to send an FOI request to " + @info_request.public_body.name
+            )
             @info_request.user = authenticated_user
             @info_request.save
             @outgoing_message.send_message
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 6c950e7ba..5089c3cf8 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -4,7 +4,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: user_controller.rb,v 1.10 2007-11-01 16:14:43 francis Exp $
+# $Id: user_controller.rb,v 1.11 2007-11-05 16:46:10 francis Exp $
 
 class UserController < ApplicationController
     # XXX See controllers/application.rb simplify_url_part for reverse of expression in SQL below
@@ -16,9 +16,11 @@ class UserController < ApplicationController
     def signin
         # The explict signin link uses this to store where it is to go back to
         if params[:r]
-            post_redirect = PostRedirect.new(:uri => params[:r], :post_params => {})
-            post_redirect.save!
-            params[:token] = post_redirect.token
+            @post_redirect = PostRedirect.new(:uri => params[:r], :post_params => {})
+            @post_redirect.save!
+            params[:token] = @post_redirect.token
+        else
+            @post_redirect = PostRedirect.find_by_token(params[:token])
         end
 
         if not params[:user] 
@@ -29,9 +31,12 @@ class UserController < ApplicationController
             @user = User.authenticate(params[:user][:email], params[:user][:password])
             if @user
                 # Successful login
-                session[:user] = @user.id
-                post_redirect = PostRedirect.find_by_token(params[:token])
-                do_post_redirect post_redirect.uri, post_redirect.post_params
+                if @user.email_confirmed
+                    session[:user] = @user.id
+                    do_post_redirect @post_redirect.uri, @post_redirect.post_params
+                else
+                    send_confirmation_mail
+                end
                 return
             else
                 if User.find(:first, :conditions => [ "email ilike ?", params[:user][:email] ]) # using like for case insensitive
@@ -54,21 +59,44 @@ class UserController < ApplicationController
     def signup
         # Make the user and try to save it
         @user = User.new(params[:user])
-        if not @user.save
+        if not @user.valid?
             # First time get to form (e.g. from signin) , don't show errors
             @first_time = params[:first_time]
             @user.errors.clear if @first_time
             # Show the form
             render :action => 'signup'
         else
-            # New user made, redirect back to where we were
-            session[:user] = @user.id
-            post_redirect = PostRedirect.find_by_token(params[:token])
-            do_post_redirect post_redirect.uri, post_redirect.post_params
+            # Unconfirmed user
+            @user.email_confirmed = false
+            @user.save
+
+            send_confirmation_mail
             return
         end
     end
 
+    # Followed link in user account confirmation email
+    def confirm
+        post_redirect = PostRedirect.find_by_email_token(params[:email_token])
+
+        # XXX add message like this if post_redirect not found
+        #        err(sprintf(_("Please check the URL (i.e. the long code of
+        #        letters and numbers) is copied correctly from your email.  If
+        #        you can't click on it in the email, you'll have to select and
+        #        copy it from the email.  Then paste it into your browser, into
+        #        the place you would type the address of any other webpage.
+        #        Technical details: The token '%s' wasn't found."), $q_t));
+        #
+
+        @user = post_redirect.user
+        @user.email_confirmed = true
+        @user.save
+
+        session[:user] = @user.id
+
+        do_post_redirect post_redirect.uri, post_redirect.post_params
+    end
+
     # Logout form
     def signout
         session[:user] = nil
@@ -82,4 +110,17 @@ class UserController < ApplicationController
 
     private
 
+    # Ask for email confirmation
+    def send_confirmation_mail
+        raise "user #{@user.id} already confirmed" if @user.email_confirmed
+
+        post_redirect = PostRedirect.find_by_token(params[:token])
+        post_redirect.user = @user
+        post_redirect.save!
+
+        url = confirm_url(:email_token => post_redirect.email_token)
+        UserMailer.deliver_confirm_login(@user, post_redirect.reason_params, url)
+        render :action => 'confirm'
+    end
+
 end
diff --git a/app/models/post_redirect.rb b/app/models/post_redirect.rb
index b7cf39092..4c4ddcc2f 100644
--- a/app/models/post_redirect.rb
+++ b/app/models/post_redirect.rb
@@ -5,11 +5,14 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: post_redirect.rb,v 1.2 2007-11-02 10:28:20 francis Exp $
+# $Id: post_redirect.rb,v 1.3 2007-11-05 16:46:10 francis Exp $
 
 require 'openssl' # for random bytes function
 
 class PostRedirect < ActiveRecord::Base
+    # Optional, does login confirm after email.
+    belongs_to :user
+
     # We store YAML version of POST parameters in the database
     def post_params=(params)
         self.post_params_yaml = params.to_yaml
@@ -18,6 +21,14 @@ class PostRedirect < ActiveRecord::Base
         YAML.load(self.post_params_yaml)
     end
 
+    # We store YAML version of textual "reason for redirect" parameters
+    def reason_params=(reason_params)
+        self.reason_params_yaml = reason_params.to_yaml
+    end
+    def reason_params
+        YAML.load(self.reason_params_yaml)
+    end
+
     # Makes a random token, suitable for using in URLs e.g confirmation messages.
     def self.generate_random_token
         bits = 12 * 8
diff --git a/app/models/user_mailer.rb b/app/models/user_mailer.rb
new file mode 100644
index 000000000..a7e59f36a
--- /dev/null
+++ b/app/models/user_mailer.rb
@@ -0,0 +1,26 @@
+# models/user_mailer.rb:
+# Emails relating to user accounts. e.g. Confirming a new account
+#
+# Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
+# Email: francis@mysociety.org; WWW: http://www.mysociety.org/
+#
+# $Id: user_mailer.rb,v 1.1 2007-11-05 16:46:10 francis Exp $
+
+class UserMailer < ActionMailer::Base
+
+    def confirm_login(user, reasons, url)
+        @from = MySociety::Config.get("CONTACT_EMAIL")
+        @recipients = user.email
+        @subject    = reasons[:email_subject]
+        @body[:reasons] = reasons
+        @body[:name] = user.name
+        @body[:url] = url
+    end
+
+end
+
+#'reason_web' => _("To view your pledges, we need to check your email address."),
+#'reason_email' => _("Then you will be able to view your pledges."),
+#'reason_email_subject' => _('View your pledges at PledgeBank.com')
+
+
diff --git a/app/views/user/confirm.rhtml b/app/views/user/confirm.rhtml
new file mode 100644
index 000000000..bc9b259cc
--- /dev/null
+++ b/app/views/user/confirm.rhtml
@@ -0,0 +1,14 @@
+<% @title = h("Now check your email!") %>
+
+<h1 class="confirmation_heading">Now check your email!</h1>
+
+<p class="confirmation_message">
+We've sent you an email, and you'll need to click the link in it before you can
+continue.
+</p>
+
+<p class="confirmation_message">
+<small>If you use web-based email or have "junk mail" filters, also check your
+bulk/spam mail folders. Sometimes, our messages are marked that way.</small>
+</p>
+
diff --git a/app/views/user/signin.rhtml b/app/views/user/signin.rhtml
index 137de91b3..239617189 100644
--- a/app/views/user/signin.rhtml
+++ b/app/views/user/signin.rhtml
@@ -1,6 +1,8 @@
 <%= foi_error_messages_for :user %>
 
 <% form_tag({:action => "signin"}, {:id => "accountForm"}) do %>
+    <div class="form_note"><%= @post_redirect.reason_params[:web] %></div>
+
     <p>
     <label for="user_email" id="signin_email"><strong>Enter your e-mail address:</strong></label>
     <%= text_field 'user', 'email', { :size => 20 } %>
@@ -11,16 +13,14 @@
     <%= password_field 'user', 'password', { :size => 15 } %>
     </p>
 
-    <p>
-    <label>&nbsp;</label>
+    <p class="form_note">
     Don't have a password? Just enter one to register a new account.
     </p>
 
-    <p>
-    <label for="submit">&nbsp;</label>
+    <div class="form_button">
     <%= hidden_field_tag 'token', params[:token] %>
     <%= submit_tag "Sign in" %>
-    </p>
+    </div>
 
 <% end %>
 
diff --git a/app/views/user/signup.rhtml b/app/views/user/signup.rhtml
index dd779a0f3..d4d13277f 100644
--- a/app/views/user/signup.rhtml
+++ b/app/views/user/signup.rhtml
@@ -39,11 +39,10 @@
     </ul>
     </div>
 
-    <p>
-    <label for="submit">&nbsp;</label>
+    <div class="form_button">
     <%= hidden_field_tag 'token', params[:token] %>
     <%= submit_tag "Sign in" %>
-    </p>
+    </div>
 
 <% end %>
 
diff --git a/app/views/user_mailer/confirm_login.rhtml b/app/views/user_mailer/confirm_login.rhtml
new file mode 100644
index 000000000..0c58905a8
--- /dev/null
+++ b/app/views/user_mailer/confirm_login.rhtml
@@ -0,0 +1,11 @@
+<%= @name %>,
+
+Please click on the link below to confirm your email address.
+<%=@reasons[:email]%> 
+
+<%=@url%>
+
+We will never give away or sell your email address to anyone else
+without your permission.
+
+-- the GovernmentSpy.com team