- **status**: code-review --> in-progress - **Comment**: I've rebased on fresh master and made couple minor fixes. See `je/7717`
Test for "not confirmed" has misleading comment (copied from "confirmed" test, I guess) and should check that verification email was sent and not "claim attempt" email. Another issue is that you can end up in a situation when two users have the same confirmed email. 1. Claim email by user1 and verify 2. Claim the same email by user2. Email will appear in the emails list, but no verification link sent. Good 3. Click (by user2) on "verify" link next to email. Verification link will be sent and you can verify It's not so big of a problem, because email is sent to the user that owns email anyway, but he may click on verification link accidentally or something. And also having two emails might mess up user-by-email lookups, e.g. `User.by_email_address`. I think we should send "claim attempt" email in this case too. Add a test for this. There's also pyflakes-related test failures ~~~~~ Allura/allura/lib/app_globals.py:311: undefined name 'MockAMQ' Allura/allura/lib/app_globals.py:313: undefined name 'Connection' ~~~~~ Don't sure why these was removed in `25c1757a0f25f9b2b6bfd89a352bf2ea0baebdf3` seems unrelated to the ticket. --- ** [tickets:#7717] Better existing email addr handling** **Status:** in-progress **Milestone:** forge-oct-17 **Created:** Tue Sep 23, 2014 08:38 PM UTC by Dave Brondsema **Last Updated:** Fri Oct 17, 2014 08:53 AM UTC **Owner:** Alexander Luberg When adding an email address to an account, we check to see if someone else has already claimed that address, and show error "Email address already claimed". This can be a form of email address enumeration (finding out if someone else's email is in the system). We should avoid that, and have the result on the page be the same whether the email is already claimed or not. The email that we send out to the address can be different (since only the real owner will get it). The email can say something like "You tried to add EMAIL to your SITE_NAME account, but it is already claimed by your USERNAME account. You should use that account instead, or remove that address from that account. If this was not you who attempted this, you can safely ignore this email". We should also check to see if a claimed address belongs to a disabled user or not. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
