Fix #4789 - allow user email verification to be managed by administrator

Oqtane.Server/Controllers/UserController.cs

@@ -140,6 +140,7 @@ namespace Oqtane.Controllers
                     filtered.LastLoginOn = user.LastLoginOn;
                     filtered.LastIPAddress = user.LastIPAddress;
                     filtered.TwoFactorRequired = user.TwoFactorRequired;
+                    filtered.EmailConfirmed = user.EmailConfirmed;
                     filtered.Roles = user.Roles;
                     filtered.CreatedBy = user.CreatedBy;
                     filtered.CreatedOn = user.CreatedOn;
@@ -200,10 +201,15 @@ namespace Oqtane.Controllers
         [Authorize]
         public async Task<User> Put(int id, [FromBody] User user)
         {
-            if (ModelState.IsValid && user.SiteId == _tenantManager.GetAlias().SiteId && user.UserId == id && _users.GetUser(user.UserId, false) != null
+            var existing = _userManager.GetUser(user.UserId, user.SiteId);
+            if (ModelState.IsValid && user.SiteId == _tenantManager.GetAlias().SiteId && user.UserId == id && existing != null
                 && (_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) || User.Identity.Name == user.Username))
             {
-                user.EmailConfirmed = User.IsInRole(RoleNames.Admin);
+                // only administrators can update the email confirmation
+                if (!User.IsInRole(RoleNames.Admin))
+                {
+                    user.EmailConfirmed = existing.EmailConfirmed;
+                }
                 user = await _userManager.UpdateUser(user);
             }
             else

Oqtane.Server/Managers/UserManager.cs

@@ -65,7 +65,12 @@ namespace Oqtane.Managers
                 {
                     user.SiteId = siteid;
                     user.Roles = GetUserRoles(user.UserId, user.SiteId);
-                    user.SecurityStamp = _identityUserManager.FindByNameAsync(user.Username).GetAwaiter().GetResult()?.SecurityStamp;
+                    var identityuser = _identityUserManager.FindByNameAsync(user.Username).GetAwaiter().GetResult();
+                    if (identityuser != null)
+                    {
+                        user.SecurityStamp = identityuser.SecurityStamp;
+                        user.EmailConfirmed = identityuser.EmailConfirmed;
+                    }
                     user.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
                         .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
                 }
@@ -245,22 +250,30 @@ namespace Oqtane.Managers
                 {
                     identityuser.Email = user.Email;
                     await _identityUserManager.UpdateAsync(identityuser); // security stamp not updated
-
-                    // if email address changed and it is not confirmed, verification is required for new email address
-                    if (!user.EmailConfirmed)
-                    {
-                        string token = await _identityUserManager.GenerateEmailConfirmationTokenAsync(identityuser);
-                        string url = alias.Protocol + alias.Name + "/login?name=" + user.Username + "&token=" + WebUtility.UrlEncode(token);
-                        string body = "Dear " + user.DisplayName + ",\n\nIn Order To Verify The Email Address Associated To Your User Account Please Click The Link Displayed Below:\n\n" + url + "\n\nThank You!";
-                        var notification = new Notification(user.SiteId, user, "User Account Verification", body);
-                        _notifications.AddNotification(notification);
-                    }
                 }
 
                 if (user.EmailConfirmed)
                 {
-                    var emailConfirmationToken = await _identityUserManager.GenerateEmailConfirmationTokenAsync(identityuser);
-                    await _identityUserManager.ConfirmEmailAsync(identityuser, emailConfirmationToken);
+                    if (!identityuser.EmailConfirmed)
+                    {
+                        var emailConfirmationToken = await _identityUserManager.GenerateEmailConfirmationTokenAsync(identityuser);
+                        await _identityUserManager.ConfirmEmailAsync(identityuser, emailConfirmationToken);
+
+                        string body = "Dear " + user.DisplayName + ",\n\nThe Email Address For Your User Account Has Been Verified. You Can Now Login With Your Username And Password.";
+                        var notification = new Notification(user.SiteId, user, "User Account Verification", body);
+                        _notifications.AddNotification(notification);
+                    }
+                }
+                else
+                {
+                    identityuser.EmailConfirmed = false;
+                    await _identityUserManager.UpdateAsync(identityuser); // security stamp not updated
+
+                    string token = await _identityUserManager.GenerateEmailConfirmationTokenAsync(identityuser);
+                    string url = alias.Protocol + alias.Name + "/login?name=" + user.Username + "&token=" + WebUtility.UrlEncode(token);
+                    string body = "Dear " + user.DisplayName + ",\n\nIn Order To Verify The Email Address Associated To Your User Account Please Click The Link Displayed Below:\n\n" + url + "\n\nThank You!";
+                    var notification = new Notification(user.SiteId, user, "User Account Verification", body);
+                    _notifications.AddNotification(notification);
                 }
 
                 user = _users.UpdateUser(user);