changeset 2888:78d96fd775ba

make newuser action check email using get_by_email_address Reimar pointed out that it is possible to register another email address with different case while get_by_email_address works case-insensitively which could result in security problems when retrieving the password
author Johannes Berg <johannes AT sipsolutions DOT net>
date Thu, 11 Oct 2007 11:27:10 +0200
parents aea1aadf2cfb
children 87881ad9ab3b
files MoinMoin/action/newaccount.py
diffstat 1 files changed, 2 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/newaccount.py	Fri Oct 05 07:54:22 2007 -0700
+++ b/MoinMoin/action/newaccount.py	Thu Oct 11 11:27:10 2007 +0200
@@ -72,13 +72,8 @@
 
     # Email should be unique - see also MoinMoin/script/accounts/moin_usercheck.py
     if theuser.email and request.cfg.user_email_unique:
-        users = user.getUserList(request)
-        for uid in users:
-            if uid == theuser.id:
-                continue
-            thisuser = user.User(request, uid)
-            if thisuser.email == theuser.email and not thisuser.disabled:
-                return _("This email already belongs to somebody else.")
+        if user.get_by_email_address(request, theuser.email):
+            return _("This email already belongs to somebody else.")
 
     # save data
     theuser.save()