Manage Pledge: Allow pledge admins to change email (#113)

* Add the admin email field to the manage form
* Fix admin email processing: When the email is changed, the pledge needs to be set back to pending, until the email is re-confirmed
* Send confirmation emails for existing pledges to the "Manage Pledge" page
* Process the email confirmation & resending emails actions on both shortcodes
* Add a message for unconfirmed pledges

plugins/wporg-5ftf/includes/pledge-form.php

@@ -15,6 +15,11 @@ defined( 'WPINC' ) || die();
 add_shortcode( '5ftf_pledge_form_new', __NAMESPACE__ . '\render_form_new' );
 add_shortcode( '5ftf_pledge_form_manage', __NAMESPACE__ . '\render_form_manage' );
 
+// Short-circuit out of both shortcodes for shared functionality (confirming admin email, resending the pledge
+// confirmation email).
+add_filter( 'pre_do_shortcode_tag', __NAMESPACE__ . '\process_confirmed_email', 10, 2 );
+add_filter( 'pre_do_shortcode_tag', __NAMESPACE__ . '\process_resend_confirm_email', 10, 2 );
+
 /**
  * Render the form(s) for creating new pledges.
  *
@@ -38,18 +43,6 @@ function render_form_new() {
 		} elseif ( is_int( $pledge_id ) ) {
 			$complete = true;
 		}
-	} elseif ( 'confirm_pledge_email' === $action ) {
-		$view             = 'form-pledge-confirm-email.php';
-		$pledge_id        = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT );
-		$unverified_token = filter_input( INPUT_GET, 'auth_token', FILTER_SANITIZE_STRING );
-		$email_confirmed  = process_pledge_confirmation_email( $pledge_id, $action, $unverified_token );
-		$pledge           = get_post( $pledge_id );
-
-	} elseif ( filter_input( INPUT_GET, 'resend_pledge_confirmation' ) ) {
-		$pledge_id = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT );
-		$complete  = true;
-
-		Email\send_pledge_confirmation_email( $pledge_id, get_post()->ID );
 	}
 
 	ob_start();
@@ -106,44 +99,6 @@ function process_form_new() {
 	return $new_pledge_id;
 }
 
-/**
- * Process a request to confirm a company's email address.
- *
- * @param int    $pledge_id
- * @param string $action
- * @param array  $unverified_token
- *
- * @return bool
- */
-function process_pledge_confirmation_email( $pledge_id, $action, $unverified_token ) {
-	$meta_key          = PledgeMeta\META_PREFIX . 'pledge-email-confirmed';
-	$already_confirmed = get_post( $pledge_id )->$meta_key;
-
-	if ( $already_confirmed ) {
-		/*
-		 * If they refresh the page after confirming, they'd otherwise get an error because the token had been
-		 * used, and might be confused and think that the address wasn't confirmed.
-		 *
-		 * This leaks the fact that the address is confirmed, because it will return true even if the token is
-		 * invalid, but there aren't any security/privacy implications of that.
-		 */
-		return true;
-	}
-
-	$email_confirmed = Auth\is_valid_authentication_token( $pledge_id, $action, $unverified_token );
-
-	if ( $email_confirmed ) {
-		update_post_meta( $pledge_id, $meta_key, true );
-		wp_update_post( array(
-			'ID'          => $pledge_id,
-			'post_status' => 'publish',
-		) );
-		Email\send_contributor_confirmation_emails( $pledge_id );
-	}
-
-	return $email_confirmed;
-}
-
 /**
  * Render the form(s) for managing existing pledges.
  *
@@ -182,6 +137,11 @@ function render_form_manage() {
 			$errors = $results->get_error_messages();
 		} else {
 			$messages = array( __( 'Your pledge has been updated.', 'wporg-5ftf' ) );
+
+			$meta_key = PledgeMeta\META_PREFIX . 'pledge-email-confirmed';
+			if ( ! get_post( $pledge_id )->$meta_key ) {
+				$messages[] = __( 'You must confirm your new email address before it will be visible.', 'wporg-5ftf' );
+			}
 		}
 	}
 
@@ -260,6 +220,96 @@ function process_form_manage( $pledge_id, $auth_token ) {
 	return true;
 }
 
+/**
+ * Process a request to confirm a company's email address.
+ *
+ * @param string|false $value Short-circuit return value.
+ * @param string       $tag   Shortcode name.
+ *
+ * @return bool|string
+ */
+function process_confirmed_email( $value, $tag ) {
+	if ( ! in_array( $tag, [ '5ftf_pledge_form_new', '5ftf_pledge_form_manage' ] ) ) {
+		return $value;
+	}
+
+	$action = sanitize_text_field( $_REQUEST['action'] ?? '' );
+	if ( 'confirm_pledge_email' !== $action ) {
+		return $value;
+	}
+
+	$pledge_id  = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT );
+	$auth_token = filter_input( INPUT_GET, 'auth_token', FILTER_SANITIZE_STRING );
+
+	$meta_key          = PledgeMeta\META_PREFIX . 'pledge-email-confirmed';
+	$already_confirmed = get_post( $pledge_id )->$meta_key;
+	$email_confirmed   = false;
+	$is_new_pledge     = '5ftf_pledge_form_new' === $tag;
+
+	if ( $already_confirmed ) {
+		/*
+		 * If they refresh the page after confirming, they'd otherwise get an error because the token had been
+		 * used, and might be confused and think that the address wasn't confirmed.
+		 *
+		 * This leaks the fact that the address is confirmed, because it will return true even if the token is
+		 * invalid, but there aren't any security/privacy implications of that.
+		 */
+		$email_confirmed = true;
+	}
+
+	$email_confirmed = Auth\is_valid_authentication_token( $pledge_id, $action, $auth_token );
+
+	if ( $email_confirmed ) {
+		update_post_meta( $pledge_id, $meta_key, true );
+		wp_update_post( array(
+			'ID'          => $pledge_id,
+			'post_status' => 'publish',
+		) );
+		if ( $is_new_pledge ) {
+			Email\send_contributor_confirmation_emails( $pledge_id );
+		}
+	}
+
+	ob_start();
+	$directory_url = home_url( 'pledges' );
+	$pledge        = get_post( $pledge_id );
+	require FiveForTheFuture\get_views_path() . 'form-pledge-confirm-email.php';
+	return ob_get_clean();
+}
+
+/**
+ * Process a request to resed a company's confirmation email.
+ *
+ * @param string|false $value Short-circuit return value.
+ * @param string       $tag   Shortcode name.
+ *
+ * @return bool|string
+ */
+function process_resend_confirm_email( $value, $tag ) {
+	if ( ! in_array( $tag, [ '5ftf_pledge_form_new', '5ftf_pledge_form_manage' ] ) ) {
+		return $value;
+	}
+
+	$action = sanitize_text_field( $_REQUEST['action'] ?? '' );
+	if ( 'resend_pledge_confirmation' !== $action ) {
+		return $value;
+	}
+
+	$pledge_id = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT );
+	Email\send_pledge_confirmation_email( $pledge_id, get_post()->ID );
+
+	$messages = array(
+		sprintf(
+			__( 'We’ve emailed you a new link to confirm your address for %s.', 'wporg-5ftf' ),
+			get_the_title( $pledge_id )
+		),
+	);
+
+	ob_start();
+	require FiveForTheFuture\get_views_path() . 'partial-result-messages.php';
+	return ob_get_clean();
+}
+
 /**
  * Get and sanitize $_POST values from a form submission.
  *

plugins/wporg-5ftf/includes/pledge-meta.php

@@ -280,10 +280,11 @@ function save_pledge( $pledge_id, $pledge ) {
 
 	save_pledge_meta( $pledge_id, $submitted_meta );
 
+	// Fired if the "Resend Confirmation" button was clicked in wp-admin.
 	if ( filter_input( INPUT_POST, 'resend-pledge-confirmation' ) ) {
 		Email\send_pledge_confirmation_email(
 			filter_input( INPUT_GET, 'resend-pledge-id', FILTER_VALIDATE_INT ),
-			get_page_by_path( 'for-organizations' )->ID
+			get_page_by_path( 'manage-pledge' )->ID
 		);
 	}
 }
@@ -350,8 +351,15 @@ function update_generated_meta( $meta_id, $object_id, $meta_key, $_meta_value )
 			update_post_meta( $object_id, META_PREFIX . 'org-domain', $domain );
 			break;
 
-		case META_PREFIX . 'pledge-email':
+		case META_PREFIX . 'org-pledge-email':
+			$landing_page = get_page_by_path( 'manage-pledge' )->ID;
+			Email\send_pledge_confirmation_email( $object_id, $landing_page );
 			delete_post_meta( $object_id, META_PREFIX . 'pledge-email-confirmed' );
+			// Flip pledge back to pending.
+			wp_update_post( array(
+				'ID'          => $object_id,
+				'post_status' => 'pending',
+			) );
 			break;
 	}
 }

plugins/wporg-5ftf/views/form-pledge-confirm-email.php

@@ -4,8 +4,9 @@ namespace WordPressDotOrg\FiveForTheFuture\View;
 use WP_Post;
 
 /**
- * @var bool         $email_confirmed
  * @var string       $directory_url
+ * @var bool         $email_confirmed
+ * @var bool         $is_new_pledge
  * @var int          $pledge_id
  * @var WP_Post|null $pledge
  */
@@ -16,10 +17,17 @@ use WP_Post;
 	<div class="notice notice-success notice-alt">
 		<p>
 			<?php
+			if ( $is_new_pledge ) {
 				printf(
 					wp_kses_post( __( 'Thank you for confirming your address! We’ve emailed confirmation links to the contributors you mentioned, and your pledge will show up in <a href=\"%s\">the directory</a> once one contributor confirms their participation.', 'wporg-5ftf' ) ),
 					esc_url( $directory_url )
 				);
+			} else {
+				printf(
+					wp_kses_post( __( 'Thank you for confirming your address! If you have confirmed contributors, your pledge is visible in <a href=\"%s\">the directory</a> again. Otherwise, your pledge wiill show up once one contributor confirms their participation.', 'wporg-5ftf' ) ),
+					esc_url( $directory_url )
+				);
+			}
 			?>
 		</p>
 
@@ -54,11 +62,11 @@ use WP_Post;
 
 		<form action="" method="get">
 			<input type="hidden" name="pledge_id" value="<?php echo esc_attr( $pledge_id ); ?>" />
+			<input type="hidden" name="action" value="resend_pledge_confirmation" />
 
 			<p>
 				<input
 					type="submit"
-					name="resend_pledge_confirmation"
 					value="Resend Confirmation"
 				/>
 			</p>

plugins/wporg-5ftf/views/form-pledge-manage.php

@@ -23,6 +23,7 @@ require __DIR__ . '/partial-result-messages.php';
 		wp_nonce_field( 'manage_pledge_' . $pledge_id );
 
 		require get_views_path() . 'inputs-pledge-org-info.php';
+		require get_views_path() . 'inputs-pledge-org-email.php';
 		?>
 
 		<div>

plugins/wporg-5ftf/views/inputs-pledge-org-email.php

@@ -25,9 +25,16 @@ use WP_Post;
 		aria-describedby="5ftf-pledge-email-help"
 		<?php echo $readonly ? 'readonly' : ''; ?>
 	/>
-	<p id="5ftf-pledge-email-help">
+	<div id="5ftf-pledge-email-help">
+		<p>
 			<?php esc_html_e( 'This address will be used to confirm your organization’s contribution profile, and later manage any changes. Please make sure that it’s a group address (e.g., wp-contributors@example.com) so that it persists across employee transitions.', 'wporg-5ftf' ); ?>
 		</p>
+		<?php if ( ! empty( $data['org-pledge-email'] ) ) : ?>
+			<p>
+				<?php esc_html_e( 'If you change this email, you will need to confirm the new email. Your pledge will be unpublished until the new email is confirmed.', 'wporg-5ftf' ); ?>
+			</p>
+		<?php endif; ?>
+	</div>
 
 	<?php if ( is_admin() ) : ?>
 		<?php if ( $data['pledge-email-confirmed'] ) : ?>

themes/wporg-5ftf/css/objects/_pledge-form.scss

@@ -29,7 +29,7 @@
 			height: auto;
 		}
 
-		> p {
+		[id*="help"] p {
 			margin-top: ms(-5);
 			font-size: ms(-2);
 		}