feat: don't allow account creation for secondary emails (#28880)

VAN-726
2021-11-19 17:06:24 +05:00
parent 95dbcaa323
commit 66654b2edb
2 changed files with 48 additions and 2 deletions
--- a/common/djangoapps/student/models.py
+++ b/common/djangoapps/student/models.py
@@ -337,7 +337,11 @@ def email_exists_or_retired(email):
    """
    Check an email against the User model for existence.
    """
-    return User.objects.filter(email=email).exists() or is_email_retired(email)
+    return (
+        User.objects.filter(email=email).exists() or
+        is_email_retired(email) or
+        AccountRecovery.objects.filter(secondary_email=email).exists()
+    )


 def get_retired_username_by_username(username):
--- a/openedx/core/djangoapps/user_authn/views/tests/test_register.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_register.py
@@ -53,7 +53,7 @@ from openedx.core.djangoapps.user_authn.views.register import REGISTRATION_FAILU
 from openedx.core.djangolib.testing.utils import CacheIsolationTestCase, skip_unless_lms
 from openedx.core.lib.api import test_utils
 from common.djangoapps.student.helpers import authenticate_new_user
-from common.djangoapps.student.tests.factories import UserFactory
+from common.djangoapps.student.tests.factories import AccountRecoveryFactory, UserFactory
 from common.djangoapps.third_party_auth.tests.testutil import ThirdPartyAuthTestMixin, simulate_running_pipeline
 from common.djangoapps.third_party_auth.tests.utils import (
    ThirdPartyOAuthTestMixin,
@@ -253,6 +253,48 @@ class RegistrationViewValidationErrorTest(
            }
        )

+    def test_register_duplicate_email_validation_error_with_recovery(self):
+        # Register the user
+        response = self.client.post(self.url, {
+            "email": self.EMAIL,
+            "name": self.NAME,
+            "username": self.USERNAME,
+            "password": self.PASSWORD,
+            "honor_code": "true",
+        })
+        self.assertHttpOK(response)
+
+        # Create recovery object
+        user = User.objects.get(email=self.EMAIL)
+        account_recovery = AccountRecoveryFactory(user=user)
+
+        # Try to create a user with the recovery email address
+        response = self.client.post(self.url, {
+            "email": account_recovery.secondary_email,
+            "name": "Someone Else",
+            "username": "someone_else",
+            "password": self.PASSWORD,
+            "honor_code": "true",
+        })
+
+        assert response.status_code == 409
+
+        response_json = json.loads(response.content.decode('utf-8'))
+        self.assertDictEqual(
+            response_json,
+            {
+                "email": [{
+                    "user_message": (
+                        "It looks like {} belongs to an existing account. "
+                        "Try again with a different email address."
+                    ).format(
+                        account_recovery.secondary_email
+                    )
+                }],
+                "error_code": "duplicate-email"
+            }
+        )
+
    def test_register_fullname_url_validation_error(self):
        """
        Test for catching invalid full name errors