From 54a19e9091a8bb7516f2a6745cc330c1740d03e6 Mon Sep 17 00:00:00 2001 From: Luke Faraone Date: Mon, 11 Feb 2013 13:37:31 -0500 Subject: [PATCH] Check whether users are active, not whether they are nonunique. Previously we checked and bailed when there was a user registered with an email address, regardless of active status. This meant that MIT users who had inactive accounts autocreated had issues where they would be confusingly told they were signed up even though they had never taken any action on our site directly. Now we instead check whether there are any current *active* user accounts with that email address, and proceed with generating an activation link if the user lacks a corresponding active account. Security implications of this commit come into play if we start implementing removing users ability to sign in as deactivation. Since we lack a user removal story here, this isn't terribly concerning yet and we'll revist this code when we decide to add such functionality in the future. This resolves trac #581 and #631. (imported from commit c3fb93ce065e63e19b41f63c1f27891b93b75f86) --- zephyr/forms.py | 10 +++------- zephyr/views.py | 3 ++- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/zephyr/forms.py b/zephyr/forms.py index c302239b49..94153c5332 100644 --- a/zephyr/forms.py +++ b/zephyr/forms.py @@ -35,10 +35,6 @@ def isnt_mit(value): if "@mit.edu" in value: raise ValidationError(mark_safe(u'Humbug for MIT is by invitation only. ' + SIGNUP_STRING)) - -class UniqueEmailField(forms.EmailField): - default_validators = [validators.validate_email, is_unique] - class RegistrationForm(forms.Form): full_name = forms.CharField(max_length=100) password = forms.CharField(widget=forms.PasswordInput, max_length=100) @@ -50,10 +46,10 @@ class ToSForm(forms.Form): class HomepageForm(forms.Form): if settings.ALLOW_REGISTER: - email = UniqueEmailField() + email = forms.EmailField() else: - validators = UniqueEmailField.default_validators + [has_valid_realm, isnt_mit] - email = UniqueEmailField(validators=validators) + validators = [has_valid_realm, isnt_mit, is_active] + email = forms.EmailField(validators=validators) class LoggingSetPasswordForm(SetPasswordForm): def save(self, commit=True): diff --git a/zephyr/views.py b/zephyr/views.py index b4da3e2e9d..925f886c26 100644 --- a/zephyr/views.py +++ b/zephyr/views.py @@ -355,7 +355,8 @@ def accounts_home(request): return HttpResponseRedirect(reverse('send_confirm', kwargs={'email':user.email})) try: email = request.POST['email'] - is_unique(email) + # Note: We don't check for uniqueness + is_active(email) except ValidationError: return HttpResponseRedirect(reverse('django.contrib.auth.views.login') + '?email=' + urllib.quote_plus(email)) else: