Able to create superuser with same email as existing BrowserID account

Bug #1004048 reported by Jeff Marshall
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Postorius
Fix Released
Critical
Unassigned

Bug Description

I initially connected to Postorius using BrowserID.

I then created a superuser from the command line (in dev_setup -> python manage.py createsuperuser). It correctly prevented me from using the existing username, but I was able to use the same email address as my BrowserID account. The superuser account was created and I could log into Postorius successfully.

When I then logged back out and logged in via BrowserID I received this error:

AuthException at /complete/browserid/
Not unique email address.

Request Method: POST
Request URL: http://xxxxxxxxxxxxxxxxxx/complete/browserid/
Django Version: 1.3.1
Exception Type: AuthException
Exception Value:
Not unique email address.
Exception Location: /usr/local/lib/python2.7/dist-packages/django_social_auth-0.6.9-py2.7.egg/social_auth/backends/pipeline/associate.py in associate_by_email, line 22

Terri (terriko)
Changed in postorius:
importance: Undecided → Critical
status: New → Triaged
Revision history for this message
Florian Fuchs (flo-fuchs) wrote :

Hi Jeff,

I tried to reproduce this and had no problems creating/logging in with both a superuser account and a persona/browserid account using the same email address. I tried that using both an earlier version of django-social-auth (0.6.7), as well as the current one (0.7.8).

However, there is a setting that should prevent this kind of problem, because it makes social-auth try to associate the browserid credentials with an existing Postorius account before creating a new one.

Example:
I created a superuser during installation. I then logged in using browserid (same email address as the superuser).
Result: I was logged as the superuser I created earlier. No additional user record was added to the db.

I added the setting to the default settings file and made django-social-auth >= 0.7.8 an installation requirement.

Cheers
Florian

Changed in postorius:
status: Triaged → Fix Committed
Changed in postorius:
milestone: none → 1.0.0a2
Changed in postorius:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.