From 82196e1b62e722954c5830f667c5484d5c54d203 Mon Sep 17 00:00:00 2001 From: eric Date: Tue, 12 Mar 2013 21:25:18 -0400 Subject: [PATCH] add check for duplicate email, email message to old address duplicate email opens a security hole because of social auth --- email_change/forms.py | 12 +++++++++--- email_change/views.py | 4 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/email_change/forms.py b/email_change/forms.py index d3c71f0d..537c251f 100644 --- a/email_change/forms.py +++ b/email_change/forms.py @@ -26,6 +26,7 @@ from django import forms from django.db.models.loading import cache +from django.utils.translation import ugettext_lazy as _ class EmailChangeForm(forms.Form): @@ -56,10 +57,15 @@ class EmailChangeForm(forms.Form): # Check if the new email address differs from the current email address. if user.email == email: - raise forms.ValidationError('New email address cannot be the same \ - as your current email address') - + raise forms.ValidationError(_("Your email is already ")+ email) + + users = User.objects.exclude(id=user.id).filter(email__iexact=email) + for user in users: + raise forms.ValidationError(_("Another user with that email already exists.")) + return email + oldemail = None + diff --git a/email_change/views.py b/email_change/views.py index 97e80f7b..12db75cb 100644 --- a/email_change/views.py +++ b/email_change/views.py @@ -73,7 +73,7 @@ def email_change_view(request, extra_context={}, verification_key = verification_key, email = email ) - old_email=user.email + old_email=request.user.email # Prepare context c = { @@ -91,7 +91,7 @@ def email_change_view(request, extra_context={}, subject = render_to_string(email_subject_template_name, context_instance=context) message = render_to_string(email_message_template_name, context_instance=context) - send_mail(subject, message, None, [email,old_email]) + send_mail(subject, message, None, [email, old_email]) # Redirect return redirect(success_url)