add check for duplicate email, email message to old address

duplicate email opens a security hole because of social auth
2013-03-12 21:25:18 -04:00 · 2013-03-12 21:25:18 -04:00 · 82196e1b62
parent 225ea72450
commit 82196e1b62
2 changed files with 11 additions and 5 deletions
--- a/email_change/forms.py
+++ b/email_change/forms.py
@ -26,6 +26,7 @@

 from django import forms
 from django.db.models.loading import cache
+from django.utils.translation import ugettext_lazy as _


 class EmailChangeForm(forms.Form):
@ -56,10 +57,15 @@ class EmailChangeForm(forms.Form):
        
        # Check if the new email address differs from the current email address.
        if user.email == email:
-            raise forms.ValidationError('New email address cannot be the same \
-                as your current email address')
-        
+            raise forms.ValidationError(_("Your email is already ")+ email)
+
+        users = User.objects.exclude(id=user.id).filter(email__iexact=email)
+        for user in users:
+            raise forms.ValidationError(_("Another user with that email already exists."))
+       
        return email

+    oldemail = None
+    


--- a/email_change/views.py
+++ b/email_change/views.py
@ -73,7 +73,7 @@ def email_change_view(request, extra_context={},
                verification_key = verification_key,
                email = email
                )
-            old_email=user.email
+            old_email=request.user.email
            
            # Prepare context
            c = {
@ -91,7 +91,7 @@ def email_change_view(request, extra_context={},
            subject = render_to_string(email_subject_template_name, context_instance=context)
            message = render_to_string(email_message_template_name, context_instance=context)
            
-            send_mail(subject, message, None, [email,old_email])
+            send_mail(subject, message, None, [email, old_email])
            
            # Redirect
            return redirect(success_url)