fix: add an additional check on page load to enforce requireEmailAddress setting

The old behaviour would require that an email be entered, but did not block access to the forum (nor did it ensure that the email was verified).

The new behaviour (if the setting is enabled) will ensure that only those users with a confirmed email can continue through.

The only exceptions are super admins (so they don't get locked out).

public/language/en-GB/user.json

@@ -223,5 +223,6 @@
 	"emailUpdate.optional": "<strong>This field is optional</strong>. You are not obligated to provide your email address, but without a validated email you will not be able to recover your account or login with your email.",
 	"emailUpdate.required": "<strong>This field is required</strong>.",
 	"emailUpdate.change-instructions": "A confirmation email will be sent to the entered email address with a unique link. Accessing that link will confirm your ownership of the email address and it will become active on your account. At any time, you are able to update your email on file from within your account page.",
-	"emailUpdate.password-challenge": "Please enter your password in order to verify account ownership."
+	"emailUpdate.password-challenge": "Please enter your password in order to verify account ownership.",
+	"emailUpdate.pending": "Your email address has not yet been confirmed, but an email has been sent out requesting confirmation. If you wish to invalidate that request and send a new confirmation request, please fill in the form below."
 }

src/middleware/user.js

@@ -6,6 +6,7 @@ const nconf = require('nconf');
 const path = require('path');
 const util = require('util');
 
+const meta = require('../meta');
 const user = require('../user');
 const privileges = require('../privileges');
 const plugins = require('../plugins');
@@ -231,12 +232,27 @@ module.exports = function (middleware) {
 	};
 
 	middleware.registrationComplete = async function registrationComplete(req, res, next) {
-		// If the user's session contains registration data, redirect the user to complete registration
+		/**
+		 * Redirect the user to complete registration if:
+		 *   * user's session contains registration data
+		 *   * email is required and they have no confirmed email (pending doesn't count, but admins are OK)
+		 */
+		const path = req.path.startsWith('/api/') ? req.path.replace('/api', '') : req.path;
+
 		if (!req.session.hasOwnProperty('registration')) {
+			if (req.uid && !path.endsWith('/edit/email')) {
+				const [confirmed, isAdmin] = await Promise.all([
+					user.getUserField(req.uid, 'email:confirmed'),
+					user.isAdministrator(req.uid),
+				]);
+				if (meta.config.requireEmailAddress && !confirmed && !isAdmin) {
+					controllers.helpers.redirect(res, '/me/edit/email');
+				}
+			}
+
 			return setImmediate(next);
 		}
 
-		const path = req.path.startsWith('/api/') ? req.path.replace('/api', '') : req.path;
 		const { allowed } = await plugins.hooks.fire('filter:middleware.registrationComplete', {
 			allowed: ['/register/complete'],
 		});

src/user/interstitials.js

@@ -28,9 +28,10 @@ Interstitials.email = async (data) => {
 		return data;
 	}
 
-	const [isAdminOrGlobalMod, hasPassword] = await Promise.all([
+	const [isAdminOrGlobalMod, hasPassword, hasPending] = await Promise.all([
 		user.isAdminOrGlobalMod(data.req.uid),
 		user.hasPassword(data.userData.uid),
+		user.email.isValidationPending(data.userData.uid),
 	]);
 
 	let email;
@@ -44,6 +45,7 @@ Interstitials.email = async (data) => {
 			email,
 			requireEmailAddress: meta.config.requireEmailAddress,
 			issuePasswordChallenge: !!data.userData.uid && hasPassword,
+			hasPending,
 		},
 		callback: async (userData, formData) => {
 			// Validate and send email confirmation

src/views/partials/email_update.tpl

@@ -1,4 +1,9 @@
 <div>
+	{{{ if hasPending }}}
+	<div class="alert alert-info">
+		<p>[[user:emailUpdate.pending]]</p>
+	</div>
+	{{{ end }}}
 	<p>[[user:emailUpdate.intro]]</p>
 	{{{ if requireEmailAddress }}}
 	<p>[[user:emailUpdate.required]]</p>