Ticket #12297 (closed Bug: fixed)

Opened 5 years ago

Last modified 5 years ago

Plone Administrator unable to edit User Data

Reported by: interra Owned by:
Priority: major Milestone: 4.x
Component: General Version:
Keywords: Cc: esteele, maurits, huub_bouma, dokter, khink, mr_savage, kcleong, vmaksymiv, kroman0, chervol


When Use email address as login name option is turned on in Site-Setup/Security, Plone Administrators are unable to edit users’ data via @@user-information?userid=john@example.com view with The email address you selected is already in use or is not valid as login name. Please choose another. error message.

Analysis revealed issue in plone.app.users package, in checkEmailAddress constraint that validates email field of IUserDataSchema. There are following cases when checkEmailAddress schema email field constraint lets form validate:

  • Member is editing form herself and doesn’t change e-mail
  • Member is changing e-mail to site-wide unique value
  • Plone Administrator is changing e-mail to unique value.

Thus Plone Administrator can edit user’s Data only by changing e-mail each time form is being submitted.

The issue was reproduced in Plone-4.1.1 with plone.app.users-1.1.1. Fixes in plone.app.users-1.1.2 hadn’t touched the functionality in question.

I’ve included in CC those who influenced most the code in question. Pardon me if that was not welcome, please.


issue143241_4006.diff Download (4.0 KB) - added by interra 5 years ago.
v1 proposed patch that resolves the issue

Change History

comment:1 Changed 5 years ago by interra

One of the possible solutions is to introduce user field in IUserDataSchema schema as schema.Object(IUser, readonly=True) backed by user = property(get_user) in UserDataPanelAdapter and move isMemberIdAllowed logic from checkEmailAddress constraint into invariant that will validate data.email against data.user instead of membership.getAuthenticatedMember().

Additional actions necessary would be to omit readonly fields with FormFields(schema, omit_readonly=True) in UserDataPanel.__init__ or by explicit self.form_fields.omit(‘context’).

I’m concerned about the risks that IUserDataSchema schema change introduces for solutions that involve it. Please advice.

Changed 5 years ago by interra

v1 proposed patch that resolves the issue

comment:2 Changed 5 years ago by interra

The original proposal appeared not to work due to fact that on schema validation (even in invariants) there is no chance to invoke code from UserDataPanelAdapter as only submitted form data are passed to invariant.

The proposed patch Download moves calculation logic from schema into form validation, where userid is available.

comment:3 Changed 5 years ago by interra

There is pull request at GitHub for this issue at  https://github.com/plone/plone.app.users/pull/1

comment:4 Changed 5 years ago by maurits

  • Status changed from new to closed
  • Resolution set to fixed

Pull request has been merged. Thanks! Should end up in plone.app.users 1.1.3 once released.

comment:5 Changed 4 years ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.