From e2fd8a84d554d90c8dea641b8adea2def6eaffc8 Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Sat, 26 Sep 2020 22:08:44 +0200 Subject: [PATCH] Prevent creating new accounts with email registered as secondary If an email is already added as a secondary address to one account, don't allow creating a new account using that email, unless it's removed. Otherwise we end up with the same email address attached to multiple different accounts, which can cause big problems downstream. This should never have been allowed of course, but was missed when support for secondary emails was added. --- pgweb/account/forms.py | 12 +++++++----- pgweb/account/views.py | 4 ++++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/pgweb/account/forms.py b/pgweb/account/forms.py index 43321696..6ab279e4 100644 --- a/pgweb/account/forms.py +++ b/pgweb/account/forms.py @@ -85,11 +85,13 @@ class SignupForm(forms.Form): def clean_email(self): email = self.cleaned_data['email'].lower() - try: - User.objects.get(email=email) - except User.DoesNotExist: - return email - raise forms.ValidationError("A user with this email address is already registered") + if User.objects.filter(email=email).exists(): + raise forms.ValidationError("A user with this email address is already registered") + + if SecondaryEmail.objects.filter(email=email).exists(): + raise forms.ValidationError("This email address is already attached to a different user") + + return email class SignupOauthForm(forms.Form): diff --git a/pgweb/account/views.py b/pgweb/account/views.py index ec98d0ec..3717da10 100644 --- a/pgweb/account/views.py +++ b/pgweb/account/views.py @@ -525,6 +525,10 @@ def signup_oauth(request): or 'oauth_lastname' not in request.session: return HttpSimpleResponse(request, "OAuth error", 'Invalid redirect received') + # Is this email already on a different account as a secondary one? + if SecondaryEmail.objects.filter(email=request.session['oauth_email'].lower()).exists(): + return HttpSimpleResponse(request, "OAuth error", 'This email address is already attached to a different account') + if request.method == 'POST': # Second stage, so create the account. But verify that the # nonce matches.