6

I am using Django's default User model and the email is not unique, now I have multiple users with the same email address.

You can have User_A with email address user_a@example.com, and then a new user User_B can register with the same email address user_a@example.com.

This doesn't make sense in any programming universe, and it will cause confusion with email-sending functionality, and possible wrong password resets (if a password reset link is sent, with two users sharing the same email address).

This doesn't hold an obvious security vulnerability as I see it because only the original user has control of the original email address, so the attacker will not receive the reset emails.

However, this could result in the original user User_A being locked out of his original account (if he forgets his password) and being prevented of issuing a password reset because Django attempts to reset the new user User_B only. Obviously User_A wants access to his account, not to User_B's account.

  1. What is the justification?
  2. Obviously the password reset functionality is linked with the email, so if I reset the password based on the email, which user (upon following the password reset link) will be reset?
  3. How can I make the email field unique?
Orca
  • 2,035
  • 4
  • 24
  • 39
  • Maybe you want the person to have two different accounts? – Seth Jul 07 '13 at 17:26
  • @Seth Not a duplicate, I'm also asking about the behavior of password resets. – Orca Jul 07 '13 at 17:29
  • @Seth Sorry but it doesn't make sense to have two accounts with the same email, and I have never seen this behavior anywhere. – Orca Jul 07 '13 at 17:29
  • There were some downsides in django pre-1.5, so they introduced the configurable user options model. Now, the creation of user objects with duplicate emails should be handled in the `view`, or the form's `clean` method. – karthikr Jul 07 '13 at 17:44

2 Answers2

6

The password reset functionality is indeed based on email addresses.

It will send a reset email to all accounts that have a corresponding email.

The context passed to the email template includes the user, so your email reset message may include the username to let the user identify which password this would reset.

All of these may be overriden by using:

  • A custom password reset form
  • A custom user model
Thomas Orozco
  • 53,284
  • 11
  • 113
  • 116
0

django.contrib.auth uses the username field to identify a user, not the email address, so there is no conflict if two users have the same email address.

Also, since the email address is not required, it is therefore blank or null in the database (neither of which make for good unique keys).

And for your other question - the password reset will reset the password of the user who requested it, because it is requested by user name.

Having two accounts with the same address can be quite handy. For example, perhaps one is an admin account and the other is a normal user.

Seth
  • 45,033
  • 10
  • 85
  • 120
  • admin, and normal user? what is the `is_superuser` and `is_staff` flag for ? – karthikr Jul 07 '13 at 17:49
  • Doesn't the default `PasswordResetForm` [use the `email` to identify the user](https://github.com/django/django/blob/master/django/contrib/auth/forms.py#L210)? I might be missing something though. This is not to say one create an alternate form that uses the username, of course! – Thomas Orozco Jul 07 '13 at 17:54
  • @Thomas - You are correct. However, what I meant was that the reset token is not generated based on the email address, so a custom password reset form that uses the username only would still work even if two accounts had the same email address. – Seth Jul 07 '13 at 18:00
  • @karthikr - is_staff et al, identify that a user has special permissions (like the ability to get to the admin site). However, when testing a site, I generally create a normal user that did not have those permissions to make sure everything worked properly. The rationale is something like having a root account and a regular user account on a unix system. – Seth Jul 07 '13 at 18:02
  • @Seth Oh, I didn't understand it that way, but that's indeed a great point! – Thomas Orozco Jul 07 '13 at 18:03
  • @Seth But many developers would use the password reset functionality take an email address (since the password reset link must arrive in email). In this case, who knows which user is used? – Orca Jul 07 '13 at 18:19
  • The user model password reset it's based only on the email address and not on the user. It could certainly be useful contemplate shared emails in witch case you need to customize resetting the password by adding a reference to de user. It would also be useful to have an option to set the uniqueness of mail addresses. – Erick Oct 18 '20 at 14:24