Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Google Gmail -- dot ( . ) in local part & existing user's email (account) #2270
Something recently happened that made me think about this and we should definitely consider changing our email validation mechanism.
As you might already know this, Google's Gmail address does not care about dot symbols in local parts, so, for example:
is exactly the same as:
You get the idea. All 3 examples above, from Google's perspective, are the same and only email address (account).
Now, while all of above are technically different, in case of Gmail (at least), when checking if user is already registered (exists) we should consider this technicality and remove dots before comparison.
While another person / potential user cannot* undermine original's person's security in any way if account confirmation is required IN OSCLASS's User settings ("Users need to validate their account"), and unless intruder has access to original person's Gmail account, and because Google prevents registering another email address with the different dots configurations (it will detect and report that email account as not available), we should avoid it anyway, because the original person will still receive email notification about registration (and addressed to a different user), because, again, dots don't count in gmail. So, it may be confusing to the person who was registered first with it.
If account confirmation is not required in Osclass (per admin's configuration), then we might have a problem.
This is a problem some big companies have, too.
I know it may get hairy with all different possibilities out there, but Gmail is so dominant today, that we can't simply ignore it and we should make an exception in this case at least.
resources (there are many):
I don't think it's a good idea, I use this exact feature for this purpouse, to be able to have two accounts.
I don't see the issue here, if I make a variation of my gmail address, only me will receive the email. As you said this is how gmail works.
I had that exact paragraph written above, but just moments before posting I decided to delete it.
I would rather have more secure system, then this unplanned feature for admin/dev.
I know you are looking at this from a developer & convenience point of view, that's why it should be easy for you to disable validation code regarding Google/Gmail in an instant.
However, switch to production mindset for a moment, and put yourself in the shoes of a user who just starts receiving weird email notifications. What will that user do? In best case scenario, it will contact admin/support and ask for security check. Ordinary users barely know what email is, let alone the difference or importance/non-importance of dot (.) in it.
We can use filters/hooks. Simplest option is to just modify it in UserActions, during registration stage.
We already have this:
As system will not allow multiple account registration, we don't need other options (e.g. adjusting the model and other parts related to Item).
edit: unfortunately, it will also require other modifications, as well (in the model, particularly, to take into account comparison of all dots occurrences, and ultimately store dot-free version only in database). And, that complicates things even further, as login needs to take this into account, as well, so that initial user don't have issues because of removed dots. Oh...