Add some tooling for admins to manage user emails and investigate (#1665)

Seldaek · web-flow · commit 2e7817c2b9c0 · 2026-01-19T15:28:06.000+01:00
diff --git a/src/Controller/ProfileController.php b/src/Controller/ProfileController.php
@@ -17,12 +17,15 @@
 use App\Entity\Job;
 use App\Entity\Package;
 use App\Entity\User;
+use App\Form\Model\AdminUpdateEmailRequest;
+use App\Form\Type\AdminUpdateEmailType;
 use App\Form\Type\ProfileFormType;
 use App\Model\DownloadManager;
 use App\Model\FavoriteManager;
 use App\Security\UserNotifier;
 use Pagerfanta\Doctrine\ORM\QueryAdapter;
 use Pagerfanta\Pagerfanta;
+use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
@@ -57,12 +60,62 @@ public function myProfile(Request $req, FavoriteManager $favMgr, DownloadManager
     }
 
     #[Route(path: '/users/{name}/', name: 'user_profile')]
-    public function publicProfile(Request $req, #[VarName('name')] User $user, FavoriteManager $favMgr, DownloadManager $dlMgr, #[CurrentUser] ?User $loggedUser = null): Response
+    public function publicProfile(Request $req, #[VarName('name')] User $user, FavoriteManager $favMgr, DownloadManager $dlMgr, UserNotifier $userNotifier, LoggerInterface $logger, #[CurrentUser] ?User $loggedUser = null): Response
     {
         if ($req->attributes->getString('name') !== $user->getUsername()) {
             return $this->redirectToRoute('user_profile', ['name' => $user->getUsername()]);
         }
 
+        // Admin email update form
+        $adminEmailForm = null;
+        if ($this->isGranted('ROLE_ADMIN')) {
+            assert($loggedUser !== null);
+            $adminUpdateEmailRequest = new AdminUpdateEmailRequest($user->getEmail());
+            $adminEmailForm = $this->createForm(AdminUpdateEmailType::class, $adminUpdateEmailRequest);
+            $adminEmailForm->handleRequest($req);
+
+            if ($adminEmailForm->isSubmitted() && $adminEmailForm->isValid()) {
+                $newEmail = $adminUpdateEmailRequest->email;
+                $oldEmail = $user->getEmail();
+
+                if ($newEmail === $oldEmail) {
+                    $this->addFlash('warning', 'Email address unchanged.');
+                } else {
+                    // Check if email is already in use
+                    $existingUser = $this->getEM()->getRepository(User::class)->findOneBy(['emailCanonical' => strtolower($newEmail)]);
+                    if ($existingUser && $existingUser->getId() !== $user->getId()) {
+                        $this->addFlash('error', 'Email address is already in use by another account.');
+                    } else {
+                        try {
+                            $user->setEmail($newEmail);
+
+                            // Create audit record
+                            $auditRecord = AuditRecord::emailChanged($user, $loggedUser, $oldEmail);
+                            $this->getEM()->persist($auditRecord);
+                            $this->getEM()->persist($user);
+                            $this->getEM()->flush();
+
+                            // Send notifications
+                            $reason = 'Your email has been changed by an administrator from ' . $oldEmail . ' to ' . $newEmail;
+                            $userNotifier->notifyChange($oldEmail, $reason);
+                            $userNotifier->notifyChange($newEmail, $reason);
+
+                            $this->addFlash('success', 'Email address updated successfully.');
+                            return $this->redirectToRoute('user_profile', ['name' => $user->getUsername()]);
+                        } catch (\Exception $e) {
+                            $logger->error('Failed to update user email', [
+                                'user_id' => $user->getId(),
+                                'old_email' => $oldEmail,
+                                'new_email' => $newEmail,
+                                'error' => $e->getMessage(),
+                            ]);
+                            $this->addFlash('error', 'Failed to update email address. Please try again.');
+                        }
+                    }
+                }
+            }
+        }
+
         $packages = $this->getUserPackages($req, $user);
 
         $data = [
@@ -77,6 +130,9 @@ public function publicProfile(Request $req, #[VarName('name')] User $user, Favor
         if (!\count($packages) && ($this->isGranted('ROLE_ADMIN') || $loggedUser?->getId() === $user->getId())) {
             $data['deleteForm'] = $this->createFormBuilder([])->getForm()->createView();
         }
+        if ($adminEmailForm !== null) {
+            $data['adminEmailForm'] = $adminEmailForm->createView();
+        }
 
         return $this->render(
             'user/public_profile.html.twig',
diff --git a/src/Form/Model/AdminUpdateEmailRequest.php b/src/Form/Model/AdminUpdateEmailRequest.php
@@ -0,0 +1,24 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of Packagist.
+ *
+ * (c) Jordi Boggiano <j.boggiano@seld.be>
+ *     Nils Adermann <naderman@naderman.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Form\Model;
+
+use Symfony\Component\Validator\Constraints as Assert;
+
+class AdminUpdateEmailRequest
+{
+    public function __construct(
+        #[Assert\NotBlank]
+        #[Assert\Email]
+        public string $email,
+    ) {}
+}
diff --git a/src/Form/Type/AdminUpdateEmailType.php b/src/Form/Type/AdminUpdateEmailType.php
@@ -0,0 +1,43 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of Packagist.
+ *
+ * (c) Jordi Boggiano <j.boggiano@seld.be>
+ *     Nils Adermann <naderman@naderman.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Form\Type;
+
+use App\Form\Model\AdminUpdateEmailRequest;
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\EmailType;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+/**
+ * @extends AbstractType<AdminUpdateEmailRequest>
+ */
+class AdminUpdateEmailType extends AbstractType
+{
+    public function buildForm(FormBuilderInterface $builder, array $options): void
+    {
+        $builder->add('email', EmailType::class);
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([
+            'data_class' => AdminUpdateEmailRequest::class,
+            'csrf_token_id' => 'admin_update_email',
+        ]);
+    }
+
+    public function getBlockPrefix(): string
+    {
+        return 'admin_update_email_form';
+    }
+}
diff --git a/templates/user/public_profile.html.twig b/templates/user/public_profile.html.twig
@@ -35,6 +35,38 @@
     </small>
 </h2>
 
+{% if is_granted('ROLE_ADMIN') %}
+    <div class="row" style="background-color: #f9f9f9; padding: 15px; border-radius: 4px; margin-bottom: 20px;">
+        <div class="col-md-6">
+            <h4>User Metadata</h4>
+            <dl class="dl-horizontal">
+                <dt>Created At:</dt>
+                <dd>{{ user.createdAt|date('Y-m-d H:i:s') }}</dd>
+
+                <dt>Last Login:</dt>
+                <dd>{{ user.lastLogin ? user.lastLogin|date('Y-m-d H:i:s') : 'Never' }}</dd>
+
+                <dt>Pwd Reset Request:</dt>
+                <dd>{{ user.passwordRequestedAt ? user.passwordRequestedAt|date('Y-m-d H:i:s') : 'N/A' }}</dd>
+
+                <dt>GitHub ID:</dt>
+                <dd>{{ user.githubId ? user.githubId : 'Not linked' }}</dd>
+            </dl>
+        </div>
+
+        <div class="col-md-6">
+            <h4>Update Email Address</h4>
+            <p class="help-block">Current email: {{ user.email }}</p>
+            {{ form_start(adminEmailForm) }}
+                <div class="form-group">
+                    {{ form_widget(adminEmailForm.email, {'attr': {'class': 'form-control', 'placeholder': 'New email address'}}) }}
+                </div>
+                <button type="submit" class="btn btn-primary">Update Email</button>
+            {{ form_end(adminEmailForm) }}
+        </div>
+    </div>
+{% endif %}
+
 <section class="row">
     <section class="col-md-12">
         {% embed "web/list.html.twig" with {noLayout: 'true', showAutoUpdateWarning: isActualUser} %}
