Checking for pre-existing accounts from a different flow when using social connect

philippeluickx · philippeluickx · commit 945008d326bd · 2017-10-05T12:06:05.000+03:00
diff --git a/rest_auth/registration/serializers.py b/rest_auth/registration/serializers.py
@@ -1,6 +1,7 @@
 from django.http import HttpRequest
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
+from django.contrib.auth import get_user_model
 
 try:
     from allauth.account import app_settings as allauth_settings
@@ -111,6 +112,20 @@ def validate(self, attrs):
             raise serializers.ValidationError(_('Incorrect value'))
 
         if not login.is_existing:
+            # We have an account already signed up in a different flow
+            # with the same email address: raise an exception.
+            # This needs to be handled in the frontend. We can not just
+            # link up the accounts due to security constraints
+            if(allauth_settings.UNIQUE_EMAIL):
+                # Do we have an account already with this email address?
+                existing_account = get_user_model().objects.filter(
+                    email=login.user.email,
+                ).count()
+                if(existing_account != 0):
+                    # There is an account already
+                    raise serializers.ValidationError(
+                    _("A user is already registered with this e-mail address."))
+
             login.lookup()
             login.save(request, connect=True)
         attrs['user'] = login.account.user
diff --git a/rest_auth/tests/requirements.pip b/rest_auth/tests/requirements.pip
@@ -2,3 +2,4 @@ django-allauth>=0.25.0
 responses>=0.3.0
 flake8==2.4.0
 djangorestframework-jwt>=1.7.2
+djangorestframework>=3.6.4
diff --git a/rest_auth/tests/test_social.py b/rest_auth/tests/test_social.py
@@ -275,8 +275,12 @@ def test_edge_case(self):
             'access_token': 'abc123'
         }
 
-        self.post(self.fb_login_url, data=payload, status_code=200)
-        self.assertIn('key', self.response.json.keys())
+        # You should not have access to an account created through register
+        # by loging in through FB with an account that has the same
+        # email address.
+        self.post(self.fb_login_url, data=payload, status_code=400)
+        # self.post(self.fb_login_url, data=payload, status_code=200)
+        # self.assertIn('key', self.response.json.keys())
 
     @responses.activate
     @override_settings(
