Send confirmation email to both, old and new email addresses

app/mailers/devise_notify_mailer.rb

@@ -15,10 +15,10 @@ class DeviseNotifyMailer < Devise::Mailer
     )
   end
 
-  def personalisation(record, token, url)
+  def personalisation(record, token, url, username: false)
     {
       name: record.name || record.email,
-      email: record.email,
+      email: username || record.email,
       organisation: record.respond_to?(:organisation) ? record.organisation.name : "",
       link: "#{url}#{token}",
     }
@@ -36,10 +36,20 @@ class DeviseNotifyMailer < Devise::Mailer
 
   def confirmation_instructions(record, token, _opts = {})
     url = "#{user_confirmation_url}?confirmation_token="
+
+    username = record.email
+    if record.confirmable_template == User::CONFIRMABLE_TEMPLATE_ID && (record.unconfirmed_email.present? && record.unconfirmed_email != record.email)
+      username = record.unconfirmed_email
+      send_email(
+        record.unconfirmed_email,
+        record.confirmable_template,
+        personalisation(record, token, url, username:),
+      )
+    end
     send_email(
       record.email,
       record.confirmable_template,
-      personalisation(record, token, url),
+      personalisation(record, token, url, username:),
     )
   end
 

app/models/user.rb

@@ -80,7 +80,7 @@ class User < ApplicationRecord
   end
 
   def confirmable_template
-    if last_sign_in_at.present?
+    if last_sign_in_at.present? && (unconfirmed_email.blank? || unconfirmed_email == email)
       USER_REACTIVATED_TEMPLATE_ID
     elsif was_migrated_from_softwire?
       BETA_ONBOARDING_TEMPLATE_ID

spec/requests/users_controller_spec.rb

@@ -838,6 +838,15 @@ RSpec.describe UsersController, type: :request do
           },
         }
       end
+
+      let(:personalisation) do
+        {
+          name: params[:user][:name],
+          email: params[:user][:email],
+          organisation: user.organisation.name,
+          link: include("/account/confirmation?confirmation_token="),
+        }
+      end
       let(:request) { post "/users/", headers:, params: }
 
       before do
@@ -848,6 +857,11 @@ RSpec.describe UsersController, type: :request do
         expect { request }.to change(User, :count).by(1)
       end
 
+      it "sends an invitation email" do
+        expect(notify_client).to receive(:send_email).with(email_address: params[:user][:email], template_id: User::CONFIRMABLE_TEMPLATE_ID, personalisation:).once
+        request
+      end
+
       it "redirects back to organisation users page" do
         request
         expect(response).to redirect_to("/organisations/#{user.organisation.id}/users")
@@ -1305,17 +1319,20 @@ RSpec.describe UsersController, type: :request do
 
     describe "#update" do
       context "when the current user matches the user ID" do
+        let(:request) { patch "/users/#{user.id}", headers:, params: }
+
         before do
           sign_in user
-          patch "/users/#{user.id}", headers:, params:
         end
 
         it "updates the user" do
+          request
           user.reload
           expect(user.name).to eq(new_name)
         end
 
         it "tracks who updated the record" do
+          request
           user.reload
           whodunnit_actor = user.versions.last.actor
           expect(whodunnit_actor).to be_a(User)
@@ -1324,13 +1341,32 @@ RSpec.describe UsersController, type: :request do
 
         context "when user changes email, dpo and key contact" do
           let(:params) { { id: user.id, user: { name: new_name, email: new_email, is_dpo: "true", is_key_contact: "true" } } }
+          let(:personalisation) do
+            {
+              name: params[:user][:name],
+              email: new_email,
+              organisation: user.organisation.name,
+              link: include("/account/confirmation?confirmation_token="),
+            }
+          end
+
+          before do
+            user.update(old_user_id: nil)
+          end
 
           it "allows changing email and dpo" do
+            request
             user.reload
             expect(user.unconfirmed_email).to eq(new_email)
             expect(user.is_data_protection_officer?).to be true
             expect(user.is_key_contact?).to be true
           end
+
+          it "sends a confirmation email to both emails" do
+            expect(notify_client).to receive(:send_email).with(email_address: new_email, template_id: User::CONFIRMABLE_TEMPLATE_ID, personalisation:).once
+            expect(notify_client).to receive(:send_email).with(email_address: user.email, template_id: User::CONFIRMABLE_TEMPLATE_ID, personalisation:).once
+            request
+          end
         end
 
         context "when we update the user password" do