ProcessWire
ProcessWire copied to clipboard
ryancramerdesign
Multiple users with same email address
Not sure if this is intended behavior or not, but I discovered that it is possible to assign the same email address to more than one user when creating new users and editing existing ones. However, the check for an existing user with the same email address works when the user is editing their profile.
I hope this isn't gonna change. I am using this very "feature" to allow both admin and user accounts for the same people under different contexts. It's an edge case but in this case it's very important. I can see other uses for it, e.g. having multiple accounts that get updates to a common address.
@plauclair - it might well be intended behavior - just thought I should raise it in case. If it's not, perhaps there could be an exception for superusers to create multiple users with same email address, but not for other admin users with user-admin permissions. I guess we'll see what Ryan has to say.
I don't see why we should restrict anything based on emails. It's up to you to enforce that behavior.
Regarding this issue, please see discussion at https://processwire.com/talk/topic/3625-security-issue/. Ryan's post outlines some reasons why emails probably should be unique.
Personally I haven't invested enough time to this topic to argue for or against unique emails, but it's true that I've had to circumvent current behaviour in numerous occasions (for email login purposes etc.) In fact I prefer email logins over arbitrary usernames whenever possible, but that's another topic already..
Emails need to be unique if they are used for login, involved in any kind of user input during the password reset process, or any kind of other authentication. It's also just generally a good idea to keep emails unique. We don't enforce that at present (except in ProcessProfile) but may in the future, or at least will make it an option. In our case we don't absolutely need emails to be unique since we're not using them for any kind of authentication, but I always worry other people might use them for that on their own login forms.
I guess my concern is with anything in PW that sends an email to a user or collection of users. My biggest worry would be the Forgot Password module - what happens if someone triggers that but when an admin user added their account they mistyped their email address and it happened to match an address already belonging to another user. Now we have the password reset link being sent to the wrong user. Now you have one user being able to reset the password of a different user.
Accidental matching passwords might be unlikely, but certainly possible. One simple example would be our work environment where originally email addresses were just lastname@ and now they are firstinitiallastname@
When you have a last name like Jones, this can be an easy mistake :)
In the case you describe, it would have to be a superuser being sloppy because PW won't let other users change their email address to one already in use. Superuser is the same thing as root on a unix system, and with that power comes responsibility to pay attention to what you type (especially for your own account!). Through like has already been mentioned on this thread, there are plenty of folks using the same email address in multiple accounts intentionally. Though if a superuser changes their email in their profile (as opposed to the users editor), it'll still block them from doing it. If it's a concern in your case, issue this command below in PhpMyAdmin to your field, which will prevent it at the DB level. Likely in 2.6 we'll add unique index support to all text fields (as an option) which would naturally extend to the email field as well.
ALTER TABLE field_email ADD UNIQUE (data);
I am not really worried about the superuser (typically only ever me), but other admin users with user-admin permissions can also do this. That is the scenario I am most concerned about. I have one regular user who can't ever seem to even remember her username, so who knows what she might do if I gave her user-admin permission :) Anyway, it's not an urgent thing for me, I just wanted to raise some of the issues I thought might be important.
I have two usernames with one email apparently. when rebuilding my jenkins server, I get a failed to authenticate and now I cannot reset the password of the other account. Any help would be appreciated.
It creates a lot of problems while authenticating from third party . Is there any way to delete a profile?
Hey folks. This repository is no longer actively used – if there's still a problem, please open a new issue at https://github.com/processwire/processwire-issues, or suggest a new feature at https://github.com/processwire/processwire-requests. Thanks!
It creates a lot of problems while authenticating from third party . Is there any way to delete a profile?
I'm not entirely sure what you're referring to here, but you can delete existing users via the admin, or you can use the API to do that. Depends a lot on your use case.
Regarding earlier question about resetting a password of an existing user, again this can be done via the Admin, but there's also an easy way to do it via the API: https://processwire.com/talk/topic/1736-forgot-backend-password-how-do-you-reset/?do=findComment&comment=16163.
If you have question about working with ProcessWire or doing some specific thing with it, I would highly recommend asking the question at the support forum: https://processwire.com/talk/ GitHub issues are a great place to raise an issue when there's actually something wrong with the system, but when you require help with it, the support forum is a much better place (and you'll get answers faster as well).