Opened 15 years ago
Closed 14 years ago
#47 closed defect (fixed)
It is possible to register 2 accounts with same email address
| Reported by: | Sebastian Spaeth | Owned by: | Elrond |
|---|---|---|---|
| Priority: | minor | Milestone: | 0.3.0 |
| Component: | programming | Keywords: | |
| Cc: | Parent Tickets: |
Description
We can currently register two accounts with the same email address. I am not sure if this is a feature or a bug, but it will be fun when we implement the "forgot password" functionality. Can this be limited on the database level or where would one check the uniqueness?
Attachments (1)
Change History (22)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
http://www.mongodb.org/display/DOCS/Indexes#Indexes-UniqueIndexes
I wonder if we could use this to fix the race condition?
comment:3 by , 15 years ago
That would help with the duplicate username thing for sure. I guess having an index on the username will be good anyway for performance reaosons.
It won't help with the email issue, as we need to check for case-insensitive uniqueness.
comment:4 by , 15 years ago
There's an easy way to handle case insensitivity in email and that's to do string.lower() on all email operations before we commit changes to email addresses (?)
comment:5 by , 15 years ago
<spaetz> paroneayea: email duplication is not *that* trivial :) [08:49]
<spaetz> "The local-part of an address, is defined to be opaque to
intermediate mail relay systems except the final mailbox host. For
example, it must not be assumed to be case-insensitive."
<spaetz> ^^^wikipedia. But usually it should be easiest to just assume
case-insensitivity
<paroneayea> spaetz: well
<paroneayea> we could store the email value twice [08:50]
<spaetz> I seriously doubt we would run in trouble :)
<paroneayea> once for the lowercased one
<paroneayea> which we could use to force uniqueness
<paroneayea> but yeah I don't think it matters
<spaetz> right, that we could do.
<paroneayea> forcing to lowercase for now is good enough
<spaetz> I don't think it matters either
<Elrond> I would just lowercase the hostname and be done. If people want to
register multiple users, they'll surely find some email address
dispenser.
We can probably just do what Elrond says.
comment:7 by , 15 years ago
| Component: | → Programming |
|---|---|
| Owner: | set to |
by , 15 years ago
| Attachment: | 0004-Checks-if-the-email-lowercase-have-been-used-before-.patch.tar.gz added |
|---|
0004-Checks-if-the-email-lowercase-have-been-used-before-.patch.tar.gz
comment:7 by , 15 years ago
| Status: | New → In Progress |
|---|
Now we can check if the email have used by another user and displays the error, the email is lowercased before checking into the database. which must be good enough.
comment:9 by , 15 years ago
| Milestone: | 0.0.3 → 0.0.4 |
|---|
comment:9 by , 15 years ago
| Milestone: | 0.0.4 → 0.0.5 |
|---|
We release 0.0.4, so I'm bumping this to 0.0.5.
comment:10 by , 15 years ago
Alejandro's patch needs review.
I would use a warning more like,
Sorry, that email address is already assigned.
Hm, perhaps we need a process to handle malicious squatting, but that would be a new ticket.
Otherwise, besides this:
error: patch failed: mediagoblin/auth/views.py:39 error: mediagoblin/auth/views.py: patch does not apply
Alejandro's code gets a +1 from me.
comment:12 by , 15 years ago
| Owner: | changed from to |
|---|---|
| Status: | Closed → In Progress |
I have to reopen this.
- user['email'] = request.POST['email'] + user['email'] = request.POST['email'].lower()
The part before the @ is case sensitive. At least I'm 99% sure. Most MTAs/MDAs don't care for it, that's right. But AFAIK the standard says, it is case sensitive! (And I even know unixy people, for which it is partly case sensitive!)
comment:13 by , 15 years ago
| Milestone: | 0.0.5 → 0.1.0 |
|---|
comment:13 by , 15 years ago
| Milestone: | 0.1.0 → 0.2.0 |
|---|
Man, this is so old and seems so easy to fix. Does anyone want to do it?
comment:14 by , 15 years ago
I don't see what is important in this issue (user's convenience or easy sock-puppets), so just a mention: user@example.com can be the same account as user+abc@example.com.
comment:15 by , 15 years ago
| Milestone: | 0.2.0 → 0.2.1 |
|---|
comment:15 by , 14 years ago
| Owner: | changed from to |
|---|
- Okay, I'm trying to take care of this. Should really be simple. I'll just lowercase everything after the first "@".
- Aleksej Serdjukov: Could you please elaborate (possibly on irc) what you want to say with your statement?
comment:16 by , 14 years ago
The original url for this bug was http://bugs.foocorp.net/issues/320 .
comment:17 by , 14 years ago
| Milestone: | 0.2.1 → 0.2.2 |
|---|---|
| Resolution: | → fixed |
| Status: | accepted → closed |
Commit: 53280164e2ebb5856a6f25d14f27439855f99dbb
BTW, when implementing this, the related user name uniqueness check is not race-proof. It first checks if the name exists and later creates the user name. So if 2 users create the same name in a short time, we might end up with duplicate user names. Just something to consider.