A user in Oscar is identified by email address instead of the username. This is, however, not set as a ``unique`` constraint in the user model in ``django.contrib.auth.models.User``. Checks if an email already exists are carried out when a user registers but are ignored when a registered user changes their profile. This can lead to multiple users having the same email address which should not happen. I provide a failing test with a mixin that can be used in both the ``UserForm`` and ``UserAndProfileForm`` to clean the email field when validating the form. A ``ValidationError`` is raised when a user with this email address already exists and is not the currently edited instance (makes sure that profile updates with unchanged email work still). Fixes #324

13 年之前 · 91cd80d6bc
--- a/oscar/apps/customer/forms.py
+++ b/oscar/apps/customer/forms.py
@@ -10,6 +10,7 @@ from django.contrib.auth.models import User
 
				
				 from django.contrib.auth import forms as auth_forms
			
 
				
				 from django.conf import settings
			
 
				
				 from django.core import validators
			
 
				
				+from django.core.exceptions import ValidationError
			
 
				
				 from django.utils.http import int_to_base36
			
 
				
				 from django.contrib.sites.models import get_current_site
			
 
				
				 from django.contrib.auth.tokens import default_token_generator
			
@@ -211,7 +212,33 @@ class SearchByDateRangeForm(forms.Form):
 
				
				         return {}
			
 
				
				 
			
 
				
				 
			
 
				
				-class UserForm(forms.ModelForm):
			
 
				
				+class CleanEmailMixin(object):
			
 
				
				+
			
 
				
				+    def clean_email(self):
			
 
				
				+        """
			
 
				
				+        Make sure that the email address is aways unique as it is
			
 
				
				+        used instead of the username. This is necessary because the
			
 
				
				+        unique-ness of email addresses is *not* enforced on the model
			
 
				
				+        level in ``django.contrib.auth.models.User``.
			
 
				
				+        """
			
 
				
				+        email = self.cleaned_data['email']
			
 
				
				+
			
 
				
				+        try:
			
 
				
				+            user = User.objects.get(email=email)
			
 
				
				+        except User.DoesNotExist:
			
 
				
				+            # this email address is unique so we don't have to worry
			
 
				
				+            # about it
			
 
				
				+            return email
			
 
				
				+
			
 
				
				+        if self.instance and self.instance.id != user.id:
			
 
				
				+            raise ValidationError(
			
 
				
				+                _("A user with this email address already exists")
			
 
				
				+            )
			
 
				
				+
			
 
				
				+        return email
			
 
				
				+
			
 
				
				+
			
 
				
				+class UserForm(forms.ModelForm, CleanEmailMixin):
			
 
				
				 
			
 
				
				     def __init__(self, user, *args, **kwargs):
			
 
				
				         self.user = user
			
@@ -229,7 +256,7 @@ if hasattr(settings, 'AUTH_PROFILE_MODULE'):
 
				
				 
			
 
				
				     Profile = get_profile_class()
			
 
				
				 
			
 
				
				-    class UserAndProfileForm(forms.ModelForm):
			
 
				
				+    class UserAndProfileForm(forms.ModelForm, CleanEmailMixin):
			
 
				
				 
			
 
				
				         first_name = forms.CharField(label=_('First name'), max_length=128)
			
 
				
				         last_name = forms.CharField(label=_('Last name'), max_length=128)
			
--- a/tests/functional/customer/profile_tests.py
+++ b/tests/functional/customer/profile_tests.py
@@ -1,11 +1,8 @@
 
				
				-import httplib
			
 
				
				 from mock import patch
			
 
				
				 from decimal import Decimal as D
			
 
				
				 
			
 
				
				 from django.contrib.auth.models import User
			
 
				
				 from django.core.urlresolvers import reverse
			
 
				
				-from django.test import TestCase
			
 
				
				-from django.test.client import Client
			
 
				
				 
			
 
				
				 from oscar.test.helpers import create_product, create_order
			
 
				
				 from oscar.test import ClientTestCase, WebTestCase
			
@@ -45,6 +42,31 @@ class TestASignedInUser(WebTestCase):
 
				
				         self.assertEqual('Barry', user.first_name)
			
 
				
				         self.assertEqual('Chuckle', user.last_name)
			
 
				
				 
			
 
				
				+    def test_cant_update_their_email_address_if_it_already_exists(self):
			
 
				
				+        User.objects.create_user(username='testuser', email='new@example.com',
			
 
				
				+                                 password="somerandompassword")
			
 
				
				+        self.assertEquals(User.objects.count(), 2)
			
 
				
				+
			
 
				
				+        profile_form_page = self.app.get(reverse('customer:profile-update'),
			
 
				
				+                                user=self.user)
			
 
				
				+        self.assertEqual(200, profile_form_page.status_code)
			
 
				
				+        form = profile_form_page.forms['profile_form']
			
 
				
				+        form['email'] = 'new@example.com'
			
 
				
				+        form['first_name'] = 'Barry'
			
 
				
				+        form['last_name'] = 'Chuckle'
			
 
				
				+        response = form.submit()
			
 
				
				+
			
 
				
				+        user = User.objects.get(id=self.user.id)
			
 
				
				+        self.assertEqual(self.email, user.email)
			
 
				
				+
			
 
				
				+        try:
			
 
				
				+            User.objects.get(email='new@example.com')
			
 
				
				+        except User.MultipleObjectsReturned:
			
 
				
				+            self.fail("email for user changed to existing one")
			
 
				
				+
			
 
				
				+        self.assertContains(response,
			
 
				
				+                            'A user with this email address already exists')
			
 
				
				+
			
 
				
				     def test_can_change_their_password(self):
			
 
				
				         password_form_page = self.app.get(reverse('customer:change-password'),
			
 
				
				                                           user=self.user)