Email addresses can get out of sync leading to logging in to wrong account #54

Closed
dbenamy opened this Issue Dec 12, 2012 · 1 comment

Projects

None yet

2 participants

@dbenamy

I was updating email addresses in the django admin and got into a state where one django auth user had some email address set, and a different user had an account EmailAddress with that same email address. This caused all kinds of bizzare things, most importantly, me not being able to log into the first user. It took a long time to figure out what was going on.

This was all the result of a few problems:

  1. Repeating the email address from the auth User in the account EmailAddress enables the 2 to get out of sync. Is there a way to avoid storing the email address twice?

  2. As a plan B, it should be harder to break things. Updating user emails in the admin should work right.

  3. This isn't described in the docs. Or at least not obviously. I'd expect a big fat warning on http://django-user-accounts.readthedocs.org/en/latest/usage.html#using-email-address-for-authentication that you have to keep the 2 email fields in sync.

  4. The EmailAddress model doesn't show up in the admin. If it had, I would have figured out what was going on sooner and it would have been trivial to fix.

Thanks,
Dan

@brosner
Pinax Project member

I don't know of a good way of avoiding storing the email address twice. This largely stems from the cruft django.contrib.auth provides. Site developers can avoid it by using a custom user model (which we've recently added support for.)

I am going to add some documentation that mentions this problem. EmailAddress was added to the admin in 0ec7e01 so that problem should be reduced hopefully.

@brosner brosner closed this in c390b2a Jan 14, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment