If an email is already added as a secondary address to one account,
don't allow creating a new account using that email, unless it's
removed. Otherwise we end up with the same email address attached to
multiple different accounts, which can cause big problems downstream.
This should never have been allowed of course, but was missed when
support for secondary emails was added.
def clean_email(self):
email = self.cleaned_data['email'].lower()
- try:
- User.objects.get(email=email)
- except User.DoesNotExist:
- return email
- raise forms.ValidationError("A user with this email address is already registered")
+ if User.objects.filter(email=email).exists():
+ raise forms.ValidationError("A user with this email address is already registered")
+
+ if SecondaryEmail.objects.filter(email=email).exists():
+ raise forms.ValidationError("This email address is already attached to a different user")
+
+ return email
class SignupOauthForm(forms.Form):
or 'oauth_lastname' not in request.session:
return HttpSimpleResponse(request, "OAuth error", 'Invalid redirect received')
+ # Is this email already on a different account as a secondary one?
+ if SecondaryEmail.objects.filter(email=request.session['oauth_email'].lower()).exists():
+ return HttpSimpleResponse(request, "OAuth error", 'This email address is already attached to a different account')
+
if request.method == 'POST':
# Second stage, so create the account. But verify that the
# nonce matches.
projects / pgweb.git / commitdiff