Improve the Confirmable race condition test

Co-authored-by: Rune Philosof <57357936+runephilosof-abtion@users.noreply.github.com>

Author: grantcox

test/integration/confirmable_test.rb

@@ -355,22 +355,26 @@ def visit_admin_confirmation_with_token(confirmation_token)
     assert admin.reload.pending_reconfirmation?
   end
 
-  test 'concurrent "update email" requests should not allow confirmation_token and unconfirmed_email to get out of sync' do
+  test 'concurrent "update email" requests should not allow confirming a victim email address' do
     attacker_email = "attacker@example.com"
     victim_email = "victim@example.com"
 
     attacker = create_admin
     # update the email address of the attacker, but do not confirm it yet
-    attacker.update(email: attacker_email)
+    attacker.update!(email: attacker_email)
+   
+    # A new request starts, to update the unconfirmed email again.
+    attacker = Admin.find_by(id: attacker.id)
 
-    # a concurrent request also updates the email address to the victim, while this request's model is in memory
+    # A concurrent request also updates the email address to the victim, while the `attacker` request's model is in memory
     Admin.where(id: attacker.id).update_all(
       unconfirmed_email: victim_email,
       confirmation_token: "different token"
     )
 
-    # now we update to the same prior unconfirmed email address, and confirm
-    attacker.update(email: attacker_email)
+    # Now the attacker updates to the same prior unconfirmed email address, and confirm.
+    # This should update the `unconfirmed_email` in the database, even though it is unchanged from the models point of view.
+    attacker.update!(email: attacker_email)
     attacker_token = attacker.raw_confirmation_token
     visit_admin_confirmation_with_token(attacker_token)