search

openlibhums / janeway

A web-based platform for publishing journals, preprints, conference proceedings, and books
https://janeway.systems/
GNU Affero General Public License v3.0
168 stars 63 forks source link

Account fields are not properly validated on import #2605

Open joemull opened 2 years ago

joemull commented 2 years ago

Describe the bug It is possible to pass any string to the email field when importing account data (e.g. with plugins/imports/articles/all). Other fields are likely not being validated either. @mauromsl figured out that this was due to the AccountQuerySet class definition:

class AccountQuerySet(models.query.QuerySet):
    def create(self, **kwargs):
        obj = self.model(**kwargs)
        obj.clean()
        self._for_write = True
        obj.save(force_insert=True, using=self.db)
        return obj

Rather than obj.clean() it should have obj.full_clean(). This change has ramifications elsewhere, so other changes are going to be needed.

Janeway version 1.4

To see evidence of this, look at how test_bad_data in plugins/imports/tests/test_utils.py passes.

ajrbyers commented 1 month ago

I feel like this issue is quite important and we should probably get a fix for this urgently. Dumping at the top of triage for comment on Thursday.

joemull commented 1 month ago

Backlog refinement:

This is tricky because if we make the change to fix it, it is possible that many things will break. So, it will be important to test it thoroughly. We need test cases that cover all the edge cases for account creation. We need to test with all possible combinations of account data.

As it will also affect importers, we need to investigate the places that the account model is used, and create additional issues in each repository that needs one.