CenterForOpenScience · Vlad0n20 · Sep 15, 2025 · Oct 30, 2025 · Oct 30, 2025 · adlius
diff --git a/admin/templates/users/add_email.html b/admin/templates/users/add_email.html
@@ -0,0 +1,27 @@
+{% if perms.osf.change_osfuser %}
+    <a data-toggle="modal" data-target="#addEmailModal" class="btn btn-default">Add email</a>
+    <div class="modal" id="addEmailModal">
+        <div class="modal-dialog">
+            <div class="modal-content">
+                <form class="well" method="post" action="{% url 'users:add-email' guid=user.guid %}">
+                    <div class="modal-header">
+                        <button type="button" class="close" data-dismiss="modal">x</button>
+                        <h3>Add email to user</h3>
+                    </div>
+                    <div class="modal-body">
+                        <h4>User: {{ user.guid }}</h4>
+                        {% csrf_token %}
+                        <label for="id_new_email">Email address</label>
+                        <input type="email" name="new_email" id="id_new_email" class="form-control" required />
+                    </div>
+                    <div class="modal-footer">
+                        <input class="btn btn-primary" type="submit" value="Add and send confirmation" />
+                        <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+                    </div>
+                </form>
+            </div>
+        </div>
+    </div>
+{% endif %}
+
+
diff --git a/admin/templates/users/user.html b/admin/templates/users/user.html
@@ -20,6 +20,7 @@
             <div class="btn-group" role="group">
                 <a href="{% url 'users:search' %}" class="btn btn-default"><i class="fa fa-search"></i></a>
                 {% include "users/reset_password.html" with user=user %}
+                {% include "users/add_email.html" with user=user %}
                 {%  if perms.osf.change_osfuser %}
                     <a href="{% url 'users:get-reset-password' guid=user.guid %}" data-toggle="modal" data-target="#getResetModal" class="btn btn-default">Get password reset link</a>
                     {% if user.confirmed %}

diff --git a/admin/users/forms.py b/admin/users/forms.py
@@ -19,3 +19,11 @@ class UserSearchForm(forms.Form):
 
 class MergeUserForm(forms.Form):
     user_guid_to_be_merged = forms.CharField(label='user_guid_to_be_merged', min_length=5, max_length=5, required=True)  # TODO: Move max to 6 when needed
+
+
+class AddSystemTagForm(forms.Form):
+    system_tag_to_add = forms.CharField(label='system_tag_to_add', min_length=1, max_length=1024, required=True)
+
+
+class AddEmailForm(forms.Form):
+    new_email = forms.EmailField(label='new_email', required=True)
diff --git a/admin/users/urls.py b/admin/users/urls.py
@@ -26,6 +26,7 @@
     re_path(r'^(?P<guid>[a-z0-9]+)/get_reset_password/$', views.GetPasswordResetLink.as_view(), name='get-reset-password'),
     re_path(r'^(?P<guid>[a-z0-9]+)/reindex_elastic_user/$', views.UserReindexElastic.as_view(),
         name='reindex-elastic-user'),
+    re_path(r'^(?P<guid>[a-z0-9]+)/add_email/$', views.UserAddEmail.as_view(), name='add-email'),
     re_path(r'^(?P<guid>[a-z0-9]+)/reindex_share_user/$', views.UserShareReindex.as_view(),
         name='reindex-share-user'),
     re_path(r'^(?P<guid>[a-z0-9]+)/merge_accounts/$', views.UserMergeAccounts.as_view(), name='merge-accounts'),

diff --git a/admin/users/views.py b/admin/users/views.py
@@ -11,17 +11,19 @@
 from django.contrib import messages
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.urls import reverse
+from django.utils import timezone
 from django.core.exceptions import PermissionDenied
 from django.shortcuts import redirect
 from django.core.paginator import Paginator
 from django.core.exceptions import ValidationError
 
-from osf.exceptions import UserStateError
+from osf.exceptions import UserStateError, BlockedEmailError
 from osf.models.base import Guid
-from osf.models.user import OSFUser
+from osf.models.user import OSFUser, Email
 from osf.models.spam import SpamStatus
 from framework.auth import get_user
 from framework.auth.core import generate_verification_key
+from framework.auth.views import send_confirm_email_async
 
 from website import search
 from website.settings import EXTERNAL_IDENTITY_PROFILE
@@ -43,7 +45,8 @@
 from admin.users.forms import (
     EmailResetForm,
     UserSearchForm,
-    MergeUserForm
+    MergeUserForm,
+    AddEmailForm
 )
 from admin.nodes.views import NodeAddSystemTag, NodeRemoveSystemTag
 from admin.base.views import GuidView
@@ -396,6 +399,44 @@ class UserRemoveSystemTag(UserMixin, NodeRemoveSystemTag):
     permission_required = 'osf.change_osfuser'
 
 
+class UserAddEmail(UserMixin, FormView):
+    """Allows authorized users to add an email to a user's account and trigger confirmation."""
+    permission_required = 'osf.change_osfuser'
+    raise_exception = True
+    form_class = AddEmailForm
+
+    def form_valid(self, form):
+
+        user = self.get_object()
+        address = form.cleaned_data['new_email'].strip().lower()
+
+        existing_email = Email.objects.filter(address=address).first()
+        if existing_email:
+            if existing_email.user == user:
+                messages.error(self.request, f'Email {address} is already confirmed for this user.')
+            else:
+                messages.error(self.request, f'Email {address} already exists in the system and is associated with another user.')
+            return super().form_valid(form)
+
+        if address in user.unconfirmed_emails:
+            messages.error(self.request, f'Email {address} is already pending confirmation for this user.')
+            return super().form_valid(form)
+
+        try:
+            user.add_unconfirmed_email(address)
+
+            send_confirm_email_async(user, email=address)
+            user.email_last_sent = timezone.now()
+            user.save()
+            messages.success(self.request, f'Added unconfirmed email {address} and sent confirmation email.')
+        except (ValidationError, ValueError) as e:
+            messages.error(self.request, f'Invalid email: {getattr(e, "message", str(e))}')
+        except BlockedEmailError:
+            messages.error(self.request, 'This email address domain is blocked.')
+
+        return super().form_valid(form)
+
+
 class UserMergeAccounts(UserMixin, FormView):
     """ Allows authorized users to merge a user's accounts using their guid.
     """