Able to create superuser with same email as existing BrowserID account
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Postorius |
Fix Released
|
Critical
|
Unassigned |
Bug Description
I initially connected to Postorius using BrowserID.
I then created a superuser from the command line (in dev_setup -> python manage.py createsuperuser). It correctly prevented me from using the existing username, but I was able to use the same email address as my BrowserID account. The superuser account was created and I could log into Postorius successfully.
When I then logged back out and logged in via BrowserID I received this error:
AuthException at /complete/
Not unique email address.
Request Method: POST
Request URL: http://
Django Version: 1.3.1
Exception Type: AuthException
Exception Value:
Not unique email address.
Exception Location: /usr/local/
Changed in postorius: | |
importance: | Undecided → Critical |
status: | New → Triaged |
Changed in postorius: | |
milestone: | none → 1.0.0a2 |
Changed in postorius: | |
status: | Fix Committed → Fix Released |
Hi Jeff,
I tried to reproduce this and had no problems creating/logging in with both a superuser account and a persona/browserid account using the same email address. I tried that using both an earlier version of django-social-auth (0.6.7), as well as the current one (0.7.8).
However, there is a setting that should prevent this kind of problem, because it makes social-auth try to associate the browserid credentials with an existing Postorius account before creating a new one.
Example:
I created a superuser during installation. I then logged in using browserid (same email address as the superuser).
Result: I was logged as the superuser I created earlier. No additional user record was added to the db.
I added the setting to the default settings file and made django-social-auth >= 0.7.8 an installation requirement.
Cheers
Florian