Merge lp:~james-w/canonical-identity-provider/email-timeout into lp:canonical-identity-provider/release
Proposed by
James Westby
Status: | Merged |
---|---|
Approved by: | James Westby |
Approved revision: | no longer in the source branch. |
Merged at revision: | 1022 |
Proposed branch: | lp:~james-w/canonical-identity-provider/email-timeout |
Merge into: | lp:canonical-identity-provider/release |
Diff against target: |
69 lines (+43/-1) 2 files modified
src/identityprovider/emailutils.py (+1/-1) src/identityprovider/tests/test_emailutils.py (+42/-0) |
To merge this branch: | bzr merge lp:~james-w/canonical-identity-provider/email-timeout |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ricardo Kirkner (community) | Approve | ||
Review via email: mp+181650@code.launchpad.net |
Commit message
Treat email as case-insensitive when checking for verified emails.
The db indexes are for UPPER/LOWER on email, so not using __iexact
means that no index is used. In most other places email is taken
to be case-insensitive.
Description of the change
Hi,
As explained in the commit message use __iexact on an email lookup.
https:/
the problem this fixes.
Thanks,
James
To post a comment you must log in.
Updated with tests.
I feel a bit uneasy about this change though. It seems like the inconsistent
treatment of email addresses means that there could be bugs hiding, including
possibly security holes.
Here's what I've found:
management. commands. add_to_ team: case-sensitive lookup: mostly fine, just have to lookup with the correct case commands. create_ test_team: case-sensitive lookup: would create a new email address with the settings. SSO_TEST_ ACCOUNT_ EMAIL case. commands. cleanup: case-insensitive deletion emailaddress: create_ from_phone_ id: no case insensitive check before creation. account_ creation: get_by_email, then case-sensitive lookup. Would just cause a crash if mismatch.
confirm- email: case-insensitive lookup
reset_ password: case-insensitive lookup ion_email: case-insensitive delete, followed by case-sensitive lookup
invalidate_ email: case-sensitive lookup dler: case-insensitive lookup
validate_ email: case-insensitive lookup for validation
management.
management.
forms: case-insensitive lookup, both for previously invalidated, and duplicate check. However, duplicate check only activates if status=NEW. I don't see where the email is actually created based on this though.
login: case-insensitive lookup against invalidated,
models.
views.ui: _finish_
views.account: _send_verificat
api.v10.handlers: RegistrationHan
api.v20.handlers: EmailsHandler: case-sensitive lookup/deletion
There's nothing obviously terrible here, but there is clearly some confusion. I wonder if it
is worth clearing this up? Or whether the differences are warranted?
Thanks,
James