Ignore capitalisation of local part of email address

Most email servers don't respect capitalisation, and many users don't
know about it. So Oscar now does what the rest of the world does, and
ignores the capitalisation when looking up an email address.

Fixes #1179.

docs/source/releases/v0.8.rst

@@ -349,6 +349,24 @@ Other potentially breaking changes related to shipping include:
 * ``oscar.apps.shipping.Scales`` has been renamed and moved to
   ``oscar.apps.shipping.scales.Scale``, and is now overridable.
 
+Email address handling
+----------------------
+
+In theory, the local part of an email is case-sensitive. In practice, many
+users don't know about this and most email servers don't consider the
+capitalisation. Because of this, Oscar now disregards capitalisation when
+looking up emails (e.g. when a user logs in).
+Storing behaviour is unaltered: When a user's email address is stored (e.g.
+when registering or checking out), the local part is unaltered and
+the host portion is lowercased.
+
+.. warning::
+
+   Those changes mean you might now have multiple users with email addresses
+   that Oscar considers identical. Please use the new
+   ``oscar_find_duplicate_emails`` management command to check your database
+   and deal with any conflicts accordingly.
+
 Misc
 ~~~~
 

oscar/apps/checkout/forms.py

@@ -56,7 +56,7 @@ class GatewayForm(AuthenticationForm):
                 del self.errors['password']
             if 'username' in self.cleaned_data:
                 email = normalise_email(self.cleaned_data['username'])
-                if User._default_manager.filter(email=email).exists():
+                if User._default_manager.filter(email__iexact=email).exists():
                     msg = "A user with that email address already exists"
                     self._errors["username"] = self.error_class([msg])
             return self.cleaned_data

oscar/apps/customer/auth_backends.py

@@ -37,7 +37,8 @@ class EmailBackend(ModelBackend):
         # intentionally allow multiple users with the same email address
         # (has been a requirement in larger system deployments),
         # we just enforce that they don't share the same password.
-        matching_users = User.objects.filter(email=clean_email)
+        # We make a case-insensitive match when looking for emails.
+        matching_users = User.objects.filter(email__iexact=clean_email)
         authenticated_users = [
             user for user in matching_users if user.check_password(password)]
         if len(authenticated_users) == 1:

oscar/apps/customer/forms.py

@@ -153,8 +153,11 @@ class EmailUserCreationForm(forms.ModelForm):
         super(EmailUserCreationForm, self).__init__(*args, **kwargs)
 
     def clean_email(self):
+        """
+        Checks for existing users with the supplied email address.
+        """
         email = normalise_email(self.cleaned_data['email'])
-        if User._default_manager.filter(email=email).exists():
+        if User._default_manager.filter(email__iexact=email).exists():
             raise forms.ValidationError(
                 _("A user with that email address already exists"))
         return email
@@ -280,9 +283,10 @@ class UserForm(forms.ModelForm):
         """
         email = normalise_email(self.cleaned_data['email'])
         if User._default_manager.filter(
-                email=email).exclude(id=self.user.id).exists():
+                email__iexact=email).exclude(id=self.user.id).exists():
             raise ValidationError(
                 _("A user with this email address already exists"))
+        # Save the email unaltered
         return email
 
     class Meta:
@@ -340,8 +344,10 @@ if Profile:
 
         def clean_email(self):
             email = normalise_email(self.cleaned_data['email'])
-            if User._default_manager.filter(
-                    email=email).exclude(id=self.instance.user.id).exists():
+
+            users_with_email = User._default_manager.filter(
+                email__iexact=email).exclude(id=self.instance.user.id)
+            if users_with_email.exists():
                 raise ValidationError(
                     _("A user with this email address already exists"))
             return email
@@ -392,7 +398,7 @@ class ProductAlertForm(forms.ModelForm):
         if email:
             try:
                 ProductAlert.objects.get(
-                    product=self.product, email=email,
+                    product=self.product, email__iexact=email,
                     status=ProductAlert.ACTIVE)
             except ProductAlert.DoesNotExist:
                 pass

oscar/apps/customer/mixins.py

@@ -68,6 +68,10 @@ class RegisterUserMixin(object):
             logger.warning(
                 'Multiple users with identical email address and password'
                 'were found. Marking all but one as not active.')
+            # As this section explicitly deals with the form being submitted
+            # twice, this is about the only place in Oscar where we don't
+            # ignore capitalisation when looking up an email address.
+            # We might otherwise accidentally mark unrelated users as inactive
             users = User.objects.filter(email=user.email)
             user = users[0]
             for u in users[1:]:

oscar/apps/dashboard/users/views.py

@@ -51,7 +51,7 @@ class IndexView(BulkEditMixin, ListView):
 
         if data['email']:
             email = normalise_email(data['email'])
-            queryset = queryset.filter(email__startswith=email)
+            queryset = queryset.filter(email__istartswith=email)
             self.desc_ctx['email_filter'] \
                 = _(" with email matching '%s'") % email
         if data['name']:

sites/sandbox/apps/gateway/forms.py

@@ -1,17 +1,14 @@
 from django import forms
 from django.contrib.auth.models import User
+from apps.customer.utils import normalise_email
 
 
 class GatewayForm(forms.Form):
     email = forms.EmailField()
 
     def clean_email(self):
-        email = self.cleaned_data['email']
-        try:
-            User.objects.get(email=email)
-        except User.DoesNotExist:
-            pass
-        else:
+        email = normalise_email(self.cleaned_data['email'])
+        if User.objects.filter(email__iexact=email).exists():
             raise forms.ValidationError(
                 "A user already exists with email %s" % email
             )

tests/functional/customer/auth_tests.py

@@ -93,6 +93,7 @@ class TestAnAuthenticatedUser(WebTestCase):
 
 
 class TestAnAnonymousUser(WebTestCase):
+    is_anonymous = True
 
     def assertCanLogin(self, email, password):
         url = reverse('customer:login')
@@ -121,11 +122,19 @@ class TestAnAnonymousUser(WebTestCase):
         url = reverse('customer:register')
         form = self.app.get(url).forms['register_form']
         form['email'] = 'terry@boom.com'
-        form['password1'] = 'hedgehog'
-        form['password2'] = 'hedgehog'
+        form['password1'] = form['password2'] = 'hedgehog'
         response = form.submit()
         self.assertRedirectsTo(response, 'customer:summary')
 
+    def test_casing_of_local_part_of_email_is_preserved(self):
+        url = reverse('customer:register')
+        form = self.app.get(url).forms['register_form']
+        form['email'] = 'Terry@Boom.com'
+        form['password1'] = form['password2'] = 'hedgehog'
+        form.submit()
+        user = User.objects.all()[0]
+        self.assertEquals(user.email, 'Terry@boom.com')
+
 
 class TestAStaffUser(WebTestCase):
     is_anonymous = True

tests/functional/customer/profile_tests.py

@@ -76,29 +76,28 @@ class TestASignedInUser(WebTestCase):
         self.assertEqual('Chuckle', user.last_name)
 
     def test_cant_update_their_email_address_if_it_already_exists(self):
-        User.objects.create_user(username='testuser', email='new@example.com',
-                                 password="somerandompassword")
+        # create a user to "block" new@example.com
+        User.objects.create_user(
+            username='testuser', email='new@example.com',
+            password="somerandompassword")
         self.assertEqual(User.objects.count(), 2)
 
-        profile_form_page = self.app.get(reverse('customer:profile-update'),
-                                user=self.user)
-        self.assertEqual(200, profile_form_page.status_code)
-        form = profile_form_page.forms['profile_form']
-        form['email'] = 'new@example.com'
-        form['first_name'] = 'Barry'
-        form['last_name'] = 'Chuckle'
-        response = form.submit()
-
-        user = User.objects.get(id=self.user.id)
-        self.assertEqual(self.email, user.email)
-
-        try:
-            User.objects.get(email='new@example.com')
-        except User.MultipleObjectsReturned:
-            self.fail("email for user changed to existing one")
-
-        self.assertContains(response,
-                            'A user with this email address already exists')
+        for email in ['new@example.com', 'New@Example.com']:
+            profile_form_page = self.app.get(
+                reverse('customer:profile-update'), user=self.user)
+            form = profile_form_page.forms['profile_form']
+            form['email'] = email
+            form['first_name'] = 'Barry'
+            form['last_name'] = 'Chuckle'
+            response = form.submit()
+
+            # assert that the original user's email address is unchanged
+            user = User.objects.get(id=self.user.id)
+            self.assertEqual(self.email, user.email)
+            self.assertEquals(
+                User.objects.filter(email__iexact='new@example.com').count(), 1)
+            self.assertContains(
+                response, 'A user with this email address already exists')
 
     def test_can_change_their_password(self):
         new_password = 'bubblesgopop'

tests/integration/auth_tests.py

@@ -9,6 +9,28 @@ from oscar.core.compat import get_user_model
 User = get_user_model()
 
 
+class TestEmailAuthBackend(TestCase):
+
+    def test_authenticates_multiple_users(self):
+        password = 'lookmanohands'
+        users = [
+            User.objects.create_user(email, email, password=password)
+            for email in ['user1@example.com', 'user2@example.com']]
+        for created_user in users:
+            user = authenticate(username=created_user.email, password=password)
+            self.assertEquals(user, created_user)
+
+    def test_authenticates_different_email_spelling(self):
+        email = password = 'person@example.com'
+        created_user = User.objects.create_user(
+            'user1', email, password=password)
+
+        for email_variation in [
+            'Person@example.com', 'Person@EXAMPLE.COM', 'person@Example.com']:
+            user = authenticate(username=email_variation, password=password)
+            self.assertEquals(user, created_user)
+
+
 # Skip these tests for now as they only make sense when there isn't a unique
 # index on the user class.  The test suite currently uses a custom model that
 # *does* have a unique index on email.  When I figure out how to swap the user