Skip Menu |

This queue is for tickets about the RT-Extension-MergeUsers CPAN distribution.

Report information
The Basics
Id: 115494
Status: new
Priority: 0/
Queue: RT-Extension-MergeUsers

People
Owner: Nobody in particular
Requestors: DEREKP [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 1.02_01
Fixed in: (no value)



Subject: Empty email addresses must not be canonicalized
(This bug has also been filed as https://github.com/bestpractical/rt-extension-mergeusers/issues/2) Email addresses are optional. Very bad things happen if we treat all users who have no email address as the same user. Example: 1. $RT::Config::ValidateUserEmailAddresses is enabled (as per default) 2. There exists user "A" whose EmailAddress is empty. 3. There exists user "B" whose EmailAddress is 'b@example.org'. 4. User A is merged into User B. Suppose RT::Interface::Web::AttemptExternalAuth() calls $UserObj->Create(Name => ..., Gecos => ...); The call will fail, since the call gets canonicalized to $UserObj->Create( Name => ..., Gecos => ..., EmailAddress => 'b@example.org' ); and RT::User::ValidateUserEmailAddress() will reject it with an "Email address in use" error.