Send email notifications for email and password changes

app/settings.rb

@@ -188,6 +188,12 @@ post '/settings/change_password' do
 
   if parent_site.errors.empty?
     parent_site.save_changes
+
+    parent_site.send_email(
+      subject: "[Neocities] Your password has been changed",
+      body: Tilt.new('./views/templates/email/password_changed.erb', pretty: true).render(self)
+    )
+
     flash[:success] = 'Successfully changed password.'
     redirect "/settings#password"
   else
@@ -210,6 +216,7 @@ post '/settings/change_email' do
     redirect redirect_url
   end
 
+  previous_email = parent_site.email
   parent_site.email = params[:email]
   parent_site.email_confirmation_token = SecureRandom.hex 3
   parent_site.email_confirmed = false
@@ -218,6 +225,12 @@ post '/settings/change_email' do
   if parent_site.valid?
     parent_site.save_changes
     send_confirmation_email
+
+    parent_site.send_email(
+      subject: "[Neocities] Your email address has been changed",
+      body: Tilt.new('./views/templates/email/email_changed.erb', pretty: true).render(self, site: parent_site, previous_email: previous_email)
+    )
+
     if !parent_site.supporter?
       session[:fromsettings] = true
       redirect "/site/#{parent_site.email}/confirm_email"

tests/acceptance/settings/account_tests.rb

@@ -13,6 +13,7 @@ describe 'site/settings' do
     end
 
     it 'should change email' do
+      original_email = @site.email
       @site.password_reset_token = 'shouldgoaway'
       @site.save
       @new_email = "#{SecureRandom.uuid.gsub('-', '')}@exampleedsdfdsf.com"
@@ -29,12 +30,18 @@ describe 'site/settings' do
       @site.reload
       @site.email.must_equal @new_email
       @site.password_reset_token.must_equal nil
-      EmailWorker.jobs.length.must_equal 1
-      args = EmailWorker.jobs.first['args'].first
+
+      EmailWorker.jobs.length.must_equal 2
+
+      args = EmailWorker.jobs.select {|job| job['args'].first['subject'] =~ /confirm your email address/i}.first['args'].first
       args['to'].must_equal @new_email
       args['subject'].must_match /confirm your email address/i
       args['body'].must_match /hello #{@site.username}/i
       args['body'].must_match /#{@site.email_confirmation_token}/
+
+      args = EmailWorker.jobs.select {|job| job['args'].first['subject'] =~ /your email address.+changed/i}.first['args'].first
+      args['body'].must_match /previous email.+#{original_email}/
+      args['body'].must_match /new email.+#{@site.email}/
     end
 
     it 'should fail for invalid email address' do
@@ -123,6 +130,7 @@ describe 'site/settings' do
     include Capybara::DSL
 
     before do
+      EmailWorker.jobs.clear
       @site = Fabricate :site, password: 'derpie'
       page.set_rack_session id: @site.id
       visit '/settings'
@@ -138,6 +146,8 @@ describe 'site/settings' do
       @site.reload
       @site.valid_password?('derpie').must_equal false
       @site.valid_password?('derpie2').must_equal true
+
+      EmailWorker.jobs.select {|job| job['args'].first['subject'] =~ /password has been changed/i}.length.must_equal 1
     end
 
     it 'should not change for invalid current password' do
@@ -150,6 +160,8 @@ describe 'site/settings' do
       @site.reload
       @site.valid_password?('derpie').must_equal true
       @site.valid_password?('derpie2').must_equal false
+
+      EmailWorker.jobs.length.must_equal 0
     end
   end
 end

views/templates/email/email_changed.erb

@@ -0,0 +1,11 @@
+Hello,
+
+We're writing to let you know that your Neocities email has been changed. If you made this change, you can safely ignore this email.
+
+Your previous email address: <%= previous_email %>
+Your new email address: <%= site.email %>
+
+If you did NOT make this email change, this could be an indication that your site has been hacked! Please contact Neocities support if you think this is the case.
+
+Regards,
+The Neocities Team

views/templates/email/password_changed.erb

@@ -0,0 +1,8 @@
+Hello,
+
+We're writing to let you know that your Neocities password has been changed. If you made this change, you can safely ignore this email.
+
+If you did NOT make this password change, this could be an indication that your site has been hacked! Please contact Neocities support if you think this is the case.
+
+Regards,
+The Neocities Team