VladPolskiy/postgres-web
1
0
Fork 0
mirror of https://github.com/postgres/pgweb.git synced 2025-08-13 13:12:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent creating new accounts with email registered as secondary

Browse Source 
If an email is already added as a secondary address to one account,
don't allow creating a new account using that email, unless it's
removed. Otherwise we end up with the same email address attached to
multiple different accounts, which can cause big problems downstream.

This should never have been allowed of course, but was missed when
support for secondary emails was added.
This commit is contained in:
Magnus Hagander
2020-09-26 22:08:44 +02:00
parent 25675b1479
commit e2fd8a84d5
2 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pgweb/account/views.py
View File

@ -525,6 +525,10 @@ def signup_oauth(request):
or 'oauth_lastname' not in request.session:
return HttpSimpleResponse(request, "OAuth error", 'Invalid redirect received')
# Is this email already on a different account as a secondary one?
if SecondaryEmail.objects.filter(email=request.session['oauth_email'].lower()).exists():
return HttpSimpleResponse(request, "OAuth error", 'This email address is already attached to a different account')
if request.method == 'POST':
# Second stage, so create the account. But verify that the
# nonce matches.