fix: avoid duplicate email registration

thorsten · thorsten · commit 44cd20f86eb0 · 2025-09-25T20:58:34.000+02:00
diff --git a/phpmyfaq/src/phpMyFAQ/Helper/RegistrationHelper.php b/phpmyfaq/src/phpMyFAQ/Helper/RegistrationHelper.php
@@ -23,6 +23,7 @@
 use phpMyFAQ\Strings;
 use phpMyFAQ\Translation;
 use phpMyFAQ\User;
+use phpMyFAQ\User\UserData;
 use phpMyFAQ\Utils;
 use Symfony\Component\Mailer\Exception\TransportExceptionInterface;
 
@@ -42,17 +43,31 @@ public function __construct(Configuration $configuration)
     }
 
     /**
-     * Creates a new user account, sends mail and returns success or
+     * Creates a new user account and saves the user data.
+     * If user generation was successful, account activation is sent via an email
      * error message as an array.
      * The password will be automatically generated and sent by email
-     * as soon if admin switch user to "active"
+     * as soon if admin switches user to "active"
      *
      * @throws Exception|TransportExceptionInterface
      */
     public function createUser(string $userName, string $fullName, string $email, bool $isVisible): array
     {
         $user = new User($this->configuration);
 
+        // Check if email already exists in the userdata table (even if the username is different)
+        if (!empty($email)) {
+            if (!$user->userdata instanceof UserData) {
+                $user->userdata = new UserData($this->configuration);
+            }
+            if ($user->userdata->emailExists($email)) {
+                return [
+                    'registered' => false,
+                    'error' => User::ERROR_USER_EMAIL_NOT_UNIQUE
+                ];
+            }
+        }
+
         if (!$user->createUser($userName, '')) {
             return [
                 'registered' => false,
@@ -95,14 +110,14 @@ public function createUser(string $userName, string $fullName, string $email, bo
     }
 
     /**
-     * Returns true, if the hostname of the given email address is allowed.
+     * Returns true if the hostname of the given email address is allowed.
      * otherwise false.
      */
     public function isDomainAllowed(string $email): bool
     {
         $whitelistedDomains = $this->configuration->get('security.domainWhiteListForRegistrations');
 
-        if (Strings::strlen($whitelistedDomains) === 0) {
+        if ($whitelistedDomains === null || Strings::strlen(trim((string) $whitelistedDomains)) === 0) {
             return true;
         }
 
diff --git a/phpmyfaq/src/phpMyFAQ/User.php b/phpmyfaq/src/phpMyFAQ/User.php
@@ -67,6 +67,8 @@ class User
 
     final public const ERROR_USER_LOGIN_NOT_UNIQUE = 'The Login name already exists.';
 
+    final public const ERROR_USER_EMAIL_NOT_UNIQUE = 'The email address already exists.';
+
     final public const ERROR_USER_LOGIN_INVALID = 'The chosen login is invalid. A valid login has at least four ' .
         'characters. Only letters, numbers and underscore _ are allowed. The first letter must be a letter. ';
 
@@ -384,14 +386,24 @@ public function createUser(string $login, string $pass = '', string $domain = ''
             throw new Exception(self::ERROR_USER_LOGIN_NOT_UNIQUE);
         }
 
+        // If $login is an email address, check if it already exists in userdata table
+        if ($this->isEmailAddress($login)) {
+            if (!$this->userdata instanceof UserData) {
+                $this->userdata = new UserData($this->configuration);
+            }
+            if ($this->userdata->emailExists($login)) {
+                throw new Exception(self::ERROR_USER_EMAIL_NOT_UNIQUE);
+            }
+        }
+
         // set user-ID
         if (0 === $userId) {
             $this->userId = $this->configuration->getDb()->nextId(Database::getTablePrefix() . 'faquser', 'user_id');
         } else {
             $this->userId = $userId;
         }
 
-        // create user entry
+        // create a user entry
         $insert = sprintf(
             "INSERT INTO %sfaquser (user_id, login, session_timestamp, member_since) VALUES (%d, '%s', %d, '%s')",
             Database::getTablePrefix(),
@@ -1033,4 +1045,14 @@ public function getWebAuthnKeys(): string
 
         return '';
     }
+
+    /**
+     * Checks if a string is a valid email address.
+     *
+     * @param string $string String to check
+     */
+    private function isEmailAddress(string $string): bool
+    {
+        return filter_var($string, FILTER_VALIDATE_EMAIL) !== false;
+    }
 }
diff --git a/phpmyfaq/src/phpMyFAQ/User/UserData.php b/phpmyfaq/src/phpMyFAQ/User/UserData.php
@@ -287,4 +287,26 @@ public function delete(int $userId): bool
 
         return true;
     }
+
+    /**
+     * Checks if an email address already exists in the user data table.
+     * Returns true if the email exists, false otherwise.
+     *
+     * @param string $email Email address to check
+     */
+    public function emailExists(string $email): bool
+    {
+        if (empty($email)) {
+            return false;
+        }
+
+        $select = sprintf(
+            "SELECT user_id FROM %sfaquserdata WHERE email = '%s'",
+            Database::getTablePrefix(),
+            $this->configuration->getDb()->escape($email)
+        );
+
+        $res = $this->configuration->getDb()->query($select);
+        return $this->configuration->getDb()->numRows($res) > 0;
+    }
 }
diff --git a/tests/phpMyFAQ/Helper/RegistrationHelperTest.php b/tests/phpMyFAQ/Helper/RegistrationHelperTest.php
@@ -0,0 +1,69 @@
+<?php
+
+namespace phpMyFAQ\Helper;
+
+use phpMyFAQ\Configuration;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+
+class RegistrationHelperTest extends TestCase
+{
+    private Configuration|MockObject $configuration;
+    private RegistrationHelper $registrationHelper;
+
+    protected function setUp(): void
+    {
+        $this->configuration = $this->createMock(Configuration::class);
+        $this->registrationHelper = new RegistrationHelper($this->configuration);
+    }
+
+    public function testIsDomainAllowedReturnsTrueWhenNoWhitelist(): void
+    {
+        $this->configuration->method('get')
+            ->with('security.domainWhiteListForRegistrations')
+            ->willReturn('');
+
+        $result = $this->registrationHelper->isDomainAllowed('test@example.com');
+        $this->assertTrue($result);
+    }
+
+    public function testIsDomainAllowedReturnsTrueWhenDomainInWhitelist(): void
+    {
+        $this->configuration->method('get')
+            ->with('security.domainWhiteListForRegistrations')
+            ->willReturn('example.com, test.org');
+
+        $result = $this->registrationHelper->isDomainAllowed('test@example.com');
+        $this->assertTrue($result);
+    }
+
+    public function testIsDomainAllowedReturnsFalseWhenDomainNotInWhitelist(): void
+    {
+        $this->configuration->method('get')
+            ->with('security.domainWhiteListForRegistrations')
+            ->willReturn('alloweddomain.com, anotherdomain.org');
+
+        $result = $this->registrationHelper->isDomainAllowed('test@forbiddendomain.com');
+        $this->assertFalse($result);
+    }
+
+    public function testIsDomainAllowedHandlesNullConfiguration(): void
+    {
+        $this->configuration->method('get')
+            ->with('security.domainWhiteListForRegistrations')
+            ->willReturn(null);
+
+        $result = $this->registrationHelper->isDomainAllowed('test@example.com');
+        $this->assertTrue($result);
+    }
+
+    public function testIsDomainAllowedHandlesEmptyDomainList(): void
+    {
+        $this->configuration->method('get')
+            ->with('security.domainWhiteListForRegistrations')
+            ->willReturn('   ');
+
+        $result = $this->registrationHelper->isDomainAllowed('test@example.com');
+        $this->assertTrue($result);
+    }
+}
diff --git a/tests/phpMyFAQ/User/UserDataTest.php b/tests/phpMyFAQ/User/UserDataTest.php
@@ -92,4 +92,30 @@ public function testDelete(): void
         $result = $this->userData->delete(1);
         $this->assertTrue($result);
     }
+
+    public function testEmailExistsReturnsTrueWhenEmailExists(): void
+    {
+        $this->database->method('escape')->willReturn('test@example.com');
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(1);
+
+        $result = $this->userData->emailExists('test@example.com');
+        $this->assertTrue($result);
+    }
+
+    public function testEmailExistsReturnsFalseWhenEmailDoesNotExist(): void
+    {
+        $this->database->method('escape')->willReturn('nonexistent@example.com');
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(0);
+
+        $result = $this->userData->emailExists('nonexistent@example.com');
+        $this->assertFalse($result);
+    }
+
+    public function testEmailExistsReturnsFalseForEmptyEmail(): void
+    {
+        $result = $this->userData->emailExists('');
+        $this->assertFalse($result);
+    }
 }
diff --git a/tests/phpMyFAQ/UserTest.php b/tests/phpMyFAQ/UserTest.php
@@ -0,0 +1,108 @@
+<?php
+
+namespace phpMyFAQ;
+
+use Exception;
+use phpMyFAQ\Database\Sqlite3;
+use phpMyFAQ\User\UserData;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use ReflectionClass;
+
+class UserTest extends TestCase
+{
+    private Configuration|MockObject $configuration;
+    private Sqlite3|MockObject $database;
+    private User $user;
+    private UserData|MockObject $userData;
+
+    protected function setUp(): void
+    {
+        $this->configuration = $this->createMock(Configuration::class);
+        $this->database = $this->createMock(Sqlite3::class);
+        $this->userData = $this->createMock(UserData::class);
+
+        $this->configuration->method('getDb')->willReturn($this->database);
+        $this->configuration->method('get')->willReturnMap([
+            ['security.permLevel', 'basic'],
+        ]);
+
+        $this->user = new User($this->configuration);
+        $this->user->userdata = $this->userData;
+    }
+
+    public function testIsEmailAddressReturnsTrueForValidEmail(): void
+    {
+        $reflection = new ReflectionClass($this->user);
+        $method = $reflection->getMethod('isEmailAddress');
+
+        $result = $method->invoke($this->user, 'test@example.com');
+        $this->assertTrue($result);
+    }
+
+    public function testIsEmailAddressReturnsFalseForInvalidEmail(): void
+    {
+        $reflection = new ReflectionClass($this->user);
+        $method = $reflection->getMethod('isEmailAddress');
+
+        $result = $method->invoke($this->user, 'invalid-email');
+        $this->assertFalse($result);
+    }
+
+    public function testCreateUserThrowsExceptionWhenEmailAlreadyExistsAsLogin(): void
+    {
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage(User::ERROR_USER_EMAIL_NOT_UNIQUE);
+
+        // Mock that login is valid
+        $this->database->method('escape')->willReturn('test@example.com');
+
+        // Mock that getUserByLogin returns false (login doesn't exist as login)
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(0);
+
+        // Mock that email exists in userdata
+        $this->userData->method('emailExists')->willReturn(true);
+
+        $this->user->createUser('test@example.com');
+    }
+
+    public function testCreateUserDoesNotCheckEmailWhenLoginIsNotEmail(): void
+    {
+        // Mock database operations to simulate login not existing
+        $this->database->method('escape')->willReturn('username');
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(0);
+
+        // emailExists should never be called for non-email logins
+        $this->userData->expects($this->never())->method('emailExists');
+
+        // This will throw an exception because no auth container is set up,
+        // but that's expected - we just want to verify emailExists wasn't called
+        try {
+            $this->user->createUser('username');
+        } catch (Exception $e) {
+            // Expected - ignore this exception as we're only testing the email check logic
+        }
+    }
+
+    public function testCreateUserThrowsExceptionWhenLoginNotUnique(): void
+    {
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage(User::ERROR_USER_LOGIN_NOT_UNIQUE);
+
+        // Mock that login exists
+        $this->database->method('escape')->willReturn('existinguser');
+        $this->database->method('query')->willReturn(true);
+        $this->database->method('numRows')->willReturn(1);
+        $this->database->method('fetchArray')->willReturn([
+            'user_id' => 1,
+            'login' => 'existinguser',
+            'account_status' => 'active',
+            'is_superadmin' => false,
+            'auth_source' => 'local'
+        ]);
+
+        $this->user->createUser('existinguser');
+    }
+}
