SECURITY: signup without verified email using Google auth

app/controllers/users_controller.rb

@@ -351,6 +351,11 @@ class UsersController < ApplicationController
 
     authentication.start
 
+    if authentication.email_valid? && !authentication.authenticated?
+      # posted email is different that the already validated one?
+      return fail_with('login.incorrect_username_email_or_password')
+    end
+
     activation = UserActivator.new(user, request, session, cookies)
     activation.start
 

app/services/user_authenticator.rb

@@ -25,12 +25,16 @@ class UserAuthenticator
     @session = nil
   end
 
-  private
+  def email_valid?
+    @session && @session[:email_valid]
+  end
 
   def authenticated?
     @session && @session[:email] == @user.email && @session[:email_valid]
   end
 
+  private
+
   def authenticator
     if authenticator_name
       @authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)