-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] accounts - username/email is not treated case insensitive #2066
Labels
Comments
molokov
added a commit
to molokov/mezzanine
that referenced
this issue
Dec 24, 2023
… and password reset forms. More unit test cases added for accounts to cover these cases. Fixes stephenmcd#2066
Can i work on this ? |
Hi Goutham, I already have a pull request open on this with the solution, see above. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Current Behavior
For accounts: usernames email addresses are matched case sensitive, which means the following:
a) Two accounts can be signed up for using the same email address but different case.
NOTE: Usernames are checked as case insensitive, so you can't create two accounts with the same username but different case ( https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L151-L156 )
b) When logging in using a username/email which doesn't match the case of an account, an error of "Invalid username/email and password" is given.
c) When attempting to reset a password via username/email which doesn't match the case of account, an error of "Invalid username/email" is given.
This has tripped up many users of my website, because they've not used all lowercase on their email addresses when signing up, and had forgotten their usernames for password reset or login. So of course, they attempted with email address and discovered that they couldn't get in that way either (because the case of the email wasn't an exact match).
Given that email addresses are cases insensitive, so should our use/authentication of them be here. We also disallow two usernames of different cases when creating an account, but username for login/password reset is case sensitive, which isn't consistent.
Expected Behavior
Username and Email matching should be case insensitive for user accounts.
Steps To Reproduce
A) Sign up for an two accounts with the same email address, just different case. This succeeds and two accounts are created. Expected error: "This email is already registered".
B) Log in to an account using an username or email with different case to the one registered. This should succeed.
C) Reset password on an account using an username or email with different case to the one registered. This should succeed.
Environment
Anything else?
Should be a fairly simple fix - instead of
we should use
This line appears at https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L264
and https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/core/auth_backends.py#L28
For signup, the line to fix would be: https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L184 for email addresses.
Note that usernames are checked case insensitive when signing up at https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L151-L156 so this should likely apply to usernames as well.
I'll make a fix on my fork and see if I can raise a pull request.
The text was updated successfully, but these errors were encountered: