Fix up login for new accounts using old emails. (bug 914358)

2013-09-09 14:39:38 -07:00 · 2013-09-09 14:39:38 -07:00 · 4a963e4fca
--- a/apps/users/tests/test_views.py
+++ b/apps/users/tests/test_views.py
@ -606,6 +606,35 @@ class TestLogin(UserViewBase):
        eq_(user.get().failed_login_attempts, 4)


+    def test_doubled_account(self):
+        """
+        Logging in to an account that shares a User object with another
+        account works properly.
+        """
+        profile = UserProfile.objects.create(username='login_test',
+                                             email='bob@example.com')
+        profile.set_password('baz')
+        profile.create_django_user()
+        profile.email = 'charlie@example.com'
+        profile.save()
+        profile2 = UserProfile.objects.create(username='login_test2',
+                                              email='bob@example.com')
+        profile2.set_password('foo')
+        profile2.save()
+
+        res = self.client.post(self.url, data={'username': 'charlie@example.com',
+                                               'password': 'wrong'})
+        eq_(res.status_code, 200)
+        eq_(UserProfile.objects.get(email='charlie@example.com')
+            .failed_login_attempts, 1)
+        res2 = self.client.post(self.url, data={'username': 'charlie@example.com',
+                                                'password': 'baz'})
+        eq_(res2.status_code, 302)
+        res3 = self.client.post(self.url, data={'username': 'bob@example.com',
+                                                'password': 'foo'})
+        eq_(res3.status_code, 302)
+
+
 class TestPersonaLogin(UserViewBase):
    fixtures = ('users/test_backends',)

--- a/apps/users/views.py
+++ b/apps/users/views.py
@ -481,11 +481,15 @@ def _login(request, template=None, data=None, dont_redirect=False):
            request = _clean_next_url(request)
            r = http.HttpResponseRedirect(request.GET['to'])

+        # We look up UserProfile directly by email address instead of
+        # calling get_profile because we may have more than one
+        # UserProfile pointing at a django user record.
+        user = UserProfile.objects.get(email=request.user.email)
+
+
        # Succsesful log in according to django.  Now we do our checks.  I do
        # the checks here instead of the form's clean() because I want to use
        # the messages framework and it's not available in the request there.
-        user = request.user.get_profile()
-
        if user.deleted:
            logout(request)
            log.warning(u'Attempt to log in with deleted account (%s)' % user)