From 006265f8c1957eff74307719cda3065bccb42877 Mon Sep 17 00:00:00 2001 From: George Katsikas <giorgakis.katsikas@gmail.com> Date: Wed, 6 Mar 2024 12:40:52 +0100 Subject: [PATCH] forbid users from changing to another's email fixes #203 --- scipost_django/scipost/forms.py | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/scipost_django/scipost/forms.py b/scipost_django/scipost/forms.py index 1bd9deef9..94e3e10ec 100644 --- a/scipost_django/scipost/forms.py +++ b/scipost_django/scipost/forms.py @@ -335,6 +335,23 @@ class UpdateUserDataForm(forms.ModelForm): super().__init__(*args, **kwargs) self.fields["last_name"].widget.attrs["readonly"] = True + def clean_email(self): + if email := self.cleaned_data.get("email"): + other_users = User.objects.filter(email=email).exclude(pk=self.instance.pk) + if other_users.exists(): + self.add_error( + "email", + "This email is already in use by another user. " + "If it belongs to you and you have forgotten your credentials, " + "use the email in place of your username and/or reset your password.", + ) + # other_profiles = Profile.objects.filter(emails__email=email).exclude( + # user=self.instance + # ) + # if other_profiles.exists(): + + return email or self.instance.email + def clean_last_name(self): """Make sure the `last_name` cannot be saved via this form.""" instance = getattr(self, "instance", None) @@ -404,9 +421,9 @@ class UpdatePersonalDataForm(forms.ModelForm): ] self.fields["orcid_id"].initial = self.instance.profile.orcid_id self.fields["webpage"].initial = self.instance.profile.webpage - self.fields[ - "accepts_SciPost_emails" - ].initial = self.instance.profile.accepts_SciPost_emails + self.fields["accepts_SciPost_emails"].initial = ( + self.instance.profile.accepts_SciPost_emails + ) def save(self): self.instance.profile.title = self.cleaned_data["title"] -- GitLab