Banno / getsentry-ldap-auth

A Sentry extension to add an LDAP server as an authention source.
Apache License 2.0
163 stars 55 forks source link

Fix IntegrityError when user has multiple email addresses #29

Closed ralphje closed 6 years ago

ralphje commented 6 years ago

Since you can set up multiple email addresses for users, it is possible that sentry_ldap_auth updates the wrong email address when changing the UserEmail field.

Say, you have two UserEmail objects for an user, 'personal' and 'system-wide'. When 'personal' gets updated to "system-wide", this generates an IntegrityError because (user, email) is unique in the database, preventing logon.

Instead of changing the attribute, I add it to the list of the user's email addresses. There's no reliable way to remove an old email address. I also do not add any empty email addresses.

I doubt this entire structure is even necessary because when the 'email' attribute is set correctly on AUTH_LDAP_USER_ATTR_MAP this should all happen automatically, since Sentry has added a signal on User creation to automatically create the UserEmail object.

I do delete any lingering UserEmails that are empty (this is the case if the map is not set up correctly, since django-auth-ldap will then create a User object without an email address).

aleksihakli commented 6 years ago

@barronhagerman is it possible to get this baked into a new release, e.g. 2.6? We have ongoing issues with users inputting custom emails and failing authentication over LDAP afterwards.