Opened 13 years ago

Closed 12 years ago

#47 closed defect (fixed)

It is possible to register 2 accounts with same email address

Reported by: Sebastian Spaeth Owned by: Elrond
Priority: minor Milestone: 0.3.0
Component: programming Keywords:
Cc: Parent Tickets:

Description

We can currently register two accounts with the same email address.
I am not sure if this is a feature or a bug, but it will be fun
when we implement the "forgot password" functionality. Can this be
limited on the database level or where would one check the
uniqueness?



Attachments (1)

0004-Checks-if-the-email-lowercase-have-been-used-before-.patch.tar.gz (1.0 KB ) - added by Alejandro Villanueva 13 years ago.
0004-Checks-if-the-email-lowercase-have-been-used-before-.patch.tar.gz

Download all attachments as: .zip

Change History (22)

comment:1 by Sebastian Spaeth, 13 years ago

BTW, when implementing this, the related user name uniqueness check
is not race-proof. It first checks if the name exists and later
creates the user name. So if 2 users create the same name in a
short time, we might end up with duplicate user names. Just
something to consider.



comment:2 by Christopher Allan Webber, 13 years ago

`http://www.mongodb.org/display/DOCS/Indexes#Indexes-UniqueIndexes <http://www.mongodb.org/display/DOCS/Indexes#Indexes-UniqueIndexes>`_

I wonder if we could use this to fix the race condition?



comment:3 by Sebastian Spaeth, 13 years ago

That would help with the duplicate username thing for sure. I guess
having an index on the username will be good anyway for performance
reaosons.

It won't help with the email issue, as we need to check for
case-insensitive uniqueness.



comment:4 by Christopher Allan Webber, 13 years ago

There's an easy way to handle case insensitivity in email and
that's to do string.lower() on all email operations before we
commit changes to email addresses (?)



comment:5 by Christopher Allan Webber, 13 years ago

::

    <spaetz> paroneayea: email duplication is not *that* trivial :)  [08:49]
    <spaetz> "The local-part of an address, is defined to be opaque to
             intermediate mail relay systems except the final mailbox host. For
             example, it must not be assumed to be case-insensitive." 
    <spaetz> ^^^wikipedia. But usually it should be easiest to just assume
             case-insensitivity
    <paroneayea> spaetz: well
    <paroneayea> we could store the email value twice  [08:50]
    <spaetz> I seriously doubt we would run in trouble :)
    <paroneayea> once for the lowercased one
    <paroneayea> which we could use to force uniqueness
    <paroneayea> but yeah I don't think it matters
    <spaetz> right, that we could do.
    <paroneayea> forcing to lowercase for now is good enough
    <spaetz> I don't think it matters either
    <Elrond> I would just lowercase the hostname and be done.   If people want to
             register multiple users, they'll surely find some email address
             dispenser.

We can probably just do what Elrond says.



comment:6 by Elrond, 13 years ago

Milestone: 0.0.3
We want to address this for 0.0.3



comment:7 by Elrond, 13 years ago

Component: Programming
Owner: set to Joar Wandborg

by Alejandro Villanueva, 13 years ago

0004-Checks-if-the-email-lowercase-have-been-used-before-.patch.tar.gz

comment:7 by Alejandro Villanueva, 13 years ago

Status: NewIn Progress
Now we can check if the email have used by another user and
displays the error, the email is lowercased before checking into
the database. which must be good enough.



comment:8 by Elrond, 13 years ago

Owner: set to Joar Wandborg
Joar is a bit too busy. :-)



comment:9 by Christopher Allan Webber, 13 years ago

Milestone: 0.0.30.0.4

comment:9 by Will Kahn-Greene, 13 years ago

Milestone: 0.0.40.0.5
We release 0.0.4, so I'm bumping this to 0.0.5.



comment:10 by Caleb Davis, 13 years ago

Alejandro's patch needs review.

I would use a warning more like,

::

    Sorry, that email address is already assigned.

Hm, perhaps we need a process to handle malicious squatting, but
that would be a new ticket.

Otherwise, besides this:

::

    error: patch failed: mediagoblin/auth/views.py:39
    error: mediagoblin/auth/views.py: patch does not apply

Alejandro's code gets a +1 from me.



comment:11 by Christopher Allan Webber, 13 years ago

Owner: set to Alejandro Villanueva
Status: In ProgressClosed
Merged!



comment:12 by Elrond, 13 years ago

Owner: changed from Alejandro Villanueva to Christopher Webber
Status: ClosedIn Progress
I have to reopen this.

::

    -  user['email'] = request.POST['email']
    +  user['email'] = request.POST['email'].lower()

The part before the @ is case sensitive. At least I'm 99% sure.
Most MTAs/MDAs don't care for it, that's right.
But AFAIK the standard says, it is case sensitive!
(And I even know unixy people, for which it is partly case
sensitive!)



comment:13 by Christopher Allan Webber, 13 years ago

Milestone: 0.0.50.1.0

comment:13 by Christopher Allan Webber, 12 years ago

Milestone: 0.1.00.2.0
Man, this is so old and seems so easy to fix. Does anyone want to
do it?



comment:14 by Aleksej, 12 years ago

I don't see what is important in this issue (user's convenience or
easy sock-puppets), so just a mention:
`user@example.com <mailto:user@example.com>`_ can be the same
account as `user+abc@example.com <mailto:user+abc@example.com>`_.



comment:15 by Christopher Allan Webber, 12 years ago

Milestone: 0.2.00.2.1

comment:15 by Elrond, 12 years ago

Owner: changed from Christopher Webber to Elvenlord Elrond
1) Okay, I'm trying to take care of this. Should really be simple.
   I'll just lowercase everything after the first "@".

2) Aleksej Serdjukov: Could you please elaborate (possibly on irc)
   what you want to say with your statement?




comment:16 by Will Kahn-Greene, 12 years ago

The original url for this bug was http://bugs.foocorp.net/issues/320 .

comment:17 by Elrond, 12 years ago

Milestone: 0.2.10.2.2
Resolution: fixed
Status: acceptedclosed

Commit: 53280164e2ebb5856a6f25d14f27439855f99dbb

Note: See TracTickets for help on using tickets.