[#2838] Email unique validator#5100
Conversation
|
@wardi @amercader would it make sense to have a script actually emailing the dups asking to consolidate the accounts to one account? |
|
@mutantsan yes, as @sivang points out having unique emails is definitely a desired behaviour. But as uniqueness has not been enforced until now, there might be an issue with existing duplicates. You will get an exception when trying to edit one of the users with the same email. We need to provide guidance on how to migrate. Touching the actual emails is probably too risky so clear warnings in the changelog plus some helpers like the script @sivang suggests is probably safer, and we leave up to maintainers to decide how to fix the duplicates. The script could be a new command |
|
|
@wardi @amercader I'm just thinking about what the command should do. I don't think that emailing to users is a great idea. Can we just update all duplicate emails to empty and let users change it, since they can just update their own profiles and even delete the email? |
|
@mutantsan sorry, I wasn't clear. The command should not do anything to the database or send any email. It should only show a list of users with duplicated emails so the site maintainers can decide what to with them |
|
This probably shouldn't be a top level cli command. Can it be moved to be under |
c15e5bd to
3ffe476
Compare
|
Sorry, this PR history looks like a mess. I've add duplicate_emails subcommand under db. |
|
Many thanks @mutantsan! All LGTM, but I'll leave it to the assignees to confirm/merge. |
07ea100 to
cec6c83
Compare
| '''Validate email is unique''' | ||
| model = context['model'] | ||
| session = context['session'] | ||
| user = session.query(model.User).filter_by(email=data[key]).first() |
There was a problem hiding this comment.
Oh, if the existing user shows up first, then it won't detect any duplicates. I think you need to filter out the user in this query i.e. .filter(model.User.name != data[('name',)]) rather than in the if in the next statement.
There was a problem hiding this comment.
@davidread , thank you! I've changed the validator logic. But, since the validator used in two cases (registration and update), I've chose another approach.
| if not users: | ||
| return | ||
| else: | ||
| # allow user to update his own email |
There was a problem hiding this comment.
| # allow user to update his own email | |
| # allow user to update their own email |
|
@mutantsan This all looks great. I was going to merge but after merging master I'm getting two failures in the tests involved in this PR. Would you mind having a look? https://circleci.com/gh/ckan/ckan/6311#tests/containers/1 |
d5da609 to
aef247b
Compare
|
@amercader Hi, I've fixed the tests. |
|
Thanks a lot @mutantsan |
At the moment, there is no validation for the uniqueness of the email, which does not allow us to use login via email. And it's also can be a vulnerability to spam attacks.
This changes implements the is_email_unique validator, which prevents from creation two or more users with the same email. Also, it's a step to provide authentication via email. Since this changes doesn't touch the models, there are shouldn't be conflicts with existing portals.
Features:
Please [X] all the boxes above that apply