uniqueness for dbuser.email

spring / uberserver

uberserver, a matchmaking/chat lobby server for the spring rts project

https://springrts.com/wiki/Uberserver

Other

33 stars 38 forks source link

uniqueness for dbuser.email #359

Closed abma closed 4 years ago

abma commented 4 years ago

mail is no unique field: what happens when multiple results are returned? are all passwords reset?

silentwings commented 4 years ago

the oldest user account found in the db with the specified email is used - https://github.com/spring/uberserver/blob/master/SQLUsers.py#L637

new user accounts must use unique emails https://github.com/spring/uberserver/blob/master/SQLUsers.py#L581

resetting all is probably a bad idea, we want to encourage one account per (non-bot) user

the email field existed basically unused for years, so who knows what's inside it.... imposing a uniqueness constraint inside the db could now only be done by direct access/modification.

abma commented 4 years ago

ouch. this could be done much cleaner:

response = self.sess().query(User).filter(User.email == email).order_by(model.User.register_date)

(untested)

abma commented 4 years ago

for uniqueness in db: poke me, i can change that

silentwings commented 4 years ago

n2s: currently CREATEBOTACCOUNT allows a new bot account to share an email with the 'parent' non-bot account it copied pw/email; if we enforced db uniqueness, we would have to change this.

(as it stands currently, a consequence is that, bot accounts can only have pw reset requests sent by moderators)

silentwings commented 4 years ago

@abma

email addresses must be (changed to be) either unique or equal to None, in particular the empty string "" which is currently used for many users will count as non-uniqueness
there might be all kinds wierdness inside the email field of older users

CREATEBOTACCOUNT now creates bots with email=None