Subject: | Empty email addresses must not be canonicalized |
(This bug has also been filed as https://github.com/bestpractical/rt-extension-mergeusers/issues/2)
Email addresses are optional. Very bad things happen if we treat all users who have no email address as the same user.
Example:
1. $RT::Config::ValidateUserEmailAddresses is enabled (as per default)
2. There exists user "A" whose EmailAddress is empty.
3. There exists user "B" whose EmailAddress is 'b@example.org'.
4. User A is merged into User B.
Suppose RT::Interface::Web::AttemptExternalAuth() calls
$UserObj->Create(Name => ..., Gecos => ...);
The call will fail, since the call gets canonicalized to
$UserObj->Create(
Name => ..., Gecos => ...,
EmailAddress => 'b@example.org'
);
and RT::User::ValidateUserEmailAddress() will reject it with an "Email address in use" error.