Check for existing email when updating profile

A user in Oscar is identified by email address instead of the
username. This is, however, not set as a ``unique`` constraint
in the user model in ``django.contrib.auth.models.User``. Checks
if an email already exists are carried out when a user registers
but are ignored when a registered user changes their
profile. This can lead to multiple users having the same email
address which should not happen.

I provide a failing test with a mixin that can be used in both
the ``UserForm`` and ``UserAndProfileForm`` to clean the email
field when validating the form. A ``ValidationError`` is raised
when a user with this email address already exists and is not
the currently edited instance (makes sure that profile updates
with unchanged email work still).

Fixes #324

oscar/apps/customer/forms.py

 from django.contrib.auth import forms as auth_forms
 from django.conf import settings
 from django.core import validators
+from django.core.exceptions import ValidationError
 from django.utils.http import int_to_base36
 from django.contrib.sites.models import get_current_site
 from django.contrib.auth.tokens import default_token_generator
         return {}
 
 
-class UserForm(forms.ModelForm):
+class CleanEmailMixin(object):
+
+    def clean_email(self):
+        """
+        Make sure that the email address is aways unique as it is
+        used instead of the username. This is necessary because the
+        unique-ness of email addresses is *not* enforced on the model
+        level in ``django.contrib.auth.models.User``.
+        """
+        email = self.cleaned_data['email']
+
+        try:
+            user = User.objects.get(email=email)
+        except User.DoesNotExist:
+            # this email address is unique so we don't have to worry
+            # about it
+            return email
+
+        if self.instance and self.instance.id != user.id:
+            raise ValidationError(
+                _("A user with this email address already exists")
+            )
+
+        return email
+
+
+class UserForm(forms.ModelForm, CleanEmailMixin):
 
     def __init__(self, user, *args, **kwargs):
         self.user = user
 
     Profile = get_profile_class()
 
-    class UserAndProfileForm(forms.ModelForm):
+    class UserAndProfileForm(forms.ModelForm, CleanEmailMixin):
 
         first_name = forms.CharField(label=_('First name'), max_length=128)
         last_name = forms.CharField(label=_('Last name'), max_length=128)

tests/functional/customer/profile_tests.py

-import httplib
 from mock import patch
 from decimal import Decimal as D
 
 from django.contrib.auth.models import User
 from django.core.urlresolvers import reverse
-from django.test import TestCase
-from django.test.client import Client
 
 from oscar.test.helpers import create_product, create_order
 from oscar.test import ClientTestCase, WebTestCase
         self.assertEqual('Barry', user.first_name)
         self.assertEqual('Chuckle', user.last_name)
 
+    def test_cant_update_their_email_address_if_it_already_exists(self):
+        User.objects.create_user(username='testuser', email='new@example.com',
+                                 password="somerandompassword")
+        self.assertEquals(User.objects.count(), 2)
+
+        profile_form_page = self.app.get(reverse('customer:profile-update'),
+                                user=self.user)
+        self.assertEqual(200, profile_form_page.status_code)
+        form = profile_form_page.forms['profile_form']
+        form['email'] = 'new@example.com'
+        form['first_name'] = 'Barry'
+        form['last_name'] = 'Chuckle'
+        response = form.submit()
+
+        user = User.objects.get(id=self.user.id)
+        self.assertEqual(self.email, user.email)
+
+        try:
+            User.objects.get(email='new@example.com')
+        except User.MultipleObjectsReturned:
+            self.fail("email for user changed to existing one")
+
+        self.assertContains(response,
+                            'A user with this email address already exists')
+
     def test_can_change_their_password(self):
         password_form_page = self.app.get(reverse('customer:change-password'),
                                           user=self.user)