Closed janagombitova closed 4 years ago
I think UserRestService should return an error on POST and PUT if the email is taken. Of course it is nice if the UI protests before that. The datascript that uploads the super admins could also get a check for duplicates.
I was pretty sure we have spoken about sorting this out before. https://github.com/akvo/akvo-flow/issues/1944 and https://github.com/akvo/akvo-flow/issues/1157
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Problem
When creating a user on Flow we take the email as the main point of identification. Each user also is given a name and roles. However, we have no checks in place today to ensure an email is used only once. So what can happen is that the user example@akvo.org has access to the Flow instance to one folder and then another admin creates a 2nd user with the same email, example@akvo.org, and gives this user access to a different folder or everything.
Expectation
This should not be allowed. We should ensure that an email exists only once per instance. When creating a new user with an existing email we should warn that this user already exists and not allow to proceed when creating the new user.
Furthermore, when creating Flow instances we add super admins to each instance who are not visible in the User tab. How should these be handled in case of this issue?
Relevant existing issues
https://github.com/akvo/akvo-flow/issues/1944 https://github.com/akvo/akvo-flow/issues/2265