[BUG] - Two users cannot have the same email address #2866
Comments
|
@boc-the-git - idk if this is actually a bug, returning a generic error is a recommendation for OWASP. I think it just depends on if we want to follow OWASP guidelines or add more friendly error messages. |
|
@hay-kot I certainly have no strong feelings here, obviously it's been around for a while. On the registration page we pop up a message saying I haven't read OWASP in a long time, but I expect that's against it. The issue here however is that when creating a user as an admin, via https://demo.mealie.io/admin/manage/users/create, you don't get a nice error message like that and instead get a foreign key issue on the database. So it still gives you the same bad experience that I assume is against OWASP guidelines, and it doesn't give you the user friendliness that we already have on the registration page. |
|
The meaning behind the generic responses recommended by owasp is, that unauthenticated or low privileged users can not enumerate email addresses. |
First Check
What is the issue you are experiencing?
Impact: User cannot be created
Experienced: I tried to create a user with the same email addresses and got the error in the UI of " An unexpected error occurred" In the logs the error is "sqlite3.IntegrityError: UNIQUE constraint failed: users.email"
Expected: The error should be handled and if the no two users can have the same email address, the UI should display the error correctly.
Steps to Reproduce
Please provide relevant logs
mealie | ERROR: 19-Dec-23 20:09:30 (sqlite3.IntegrityError) UNIQUE constraint failed: users.email mealie | [SQL: INSERT INTO users (id, full_name, username, email, password, auth_method, admin, advanced, group_id, cache_key, login_attemps, locked_at, can_manage, can_invite, can_organize, owned_recipes_id, created_at, update_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)] mealie | [parameters: ('7471e2108c4247aabe1bf7a18d30a5dd', 'Dee', 'admin', '[email protected]', '$2b$12$EFvpHB4KV233p./wnKHhA..yhkH9Zyc/h0nEG4QO8ucFlvCoIyAi2', 'MEALIE', 1, 1, 'bd3b0e735fdd4633a482e9efd2e415a7', '1234', 0, None, 1, 1, 1, None, '2023-12-19 20:09:30.443978', '2023-12-19 20:09:30.443983')] mealie | (Background on this error at: https://sqlalche.me/e/20/gkpj) mealie | Traceback (most recent call last): mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1965, in _exec_single_context mealie | self.dialect.do_execute( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/default.py", line 921, in do_execute mealie | cursor.execute(statement, parameters) mealie | sqlite3.IntegrityError: UNIQUE constraint failed: users.email mealie | mealie | The above exception was the direct cause of the following exception: mealie | mealie | Traceback (most recent call last): mealie | File "/app/mealie/routes/_base/mixins.py", line 68, in create_one mealie | item = self.repo.create(data) mealie | File "/app/mealie/repos/repository_users.py", line 32, in create mealie | new_user = super().create(user) mealie | File "/app/mealie/repos/repository_generic.py", line 171, in create mealie | self.session.commit() mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/session.py", line 1920, in commit mealie | trans.commit(_to_root=True) mealie | File "<string>", line 2, in commit mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/state_changes.py", line 139, in _go mealie | ret_value = fn(self, *arg, **kw) mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/session.py", line 1236, in commit mealie | self._prepare_impl() mealie | File "<string>", line 2, in _prepare_impl mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/state_changes.py", line 139, in _go mealie | ret_value = fn(self, *arg, **kw) mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/session.py", line 1211, in _prepare_impl mealie | self.session.flush() mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/session.py", line 4163, in flush mealie | self._flush(objects) mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/session.py", line 4298, in _flush mealie | with util.safe_reraise(): mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/util/langhelpers.py", line 147, in __exit__ mealie | raise exc_value.with_traceback(exc_tb) mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/session.py", line 4259, in _flush mealie | flush_context.execute() mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/unitofwork.py", line 466, in execute mealie | rec.execute(self) mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/unitofwork.py", line 642, in execute mealie | util.preloaded.orm_persistence.save_obj( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/persistence.py", line 93, in save_obj mealie | _emit_insert_statements( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/orm/persistence.py", line 1226, in _emit_insert_statements mealie | result = connection.execute( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1412, in execute mealie | return meth( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/sql/elements.py", line 483, in _execute_on_connection mealie | return connection._execute_clauseelement( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1635, in _execute_clauseelement mealie | ret = self._execute_context( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1844, in _execute_context mealie | return self._exec_single_context( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1984, in _exec_single_context mealie | self._handle_dbapi_exception( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 2339, in _handle_dbapi_exception mealie | raise sqlalchemy_exception.with_traceback(exc_info[2]) from e mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1965, in _exec_single_context mealie | self.dialect.do_execute( mealie | File "/opt/pysetup/.venv/lib/python3.10/site-packages/sqlalchemy/engine/default.py", line 921, in do_execute mealie | cursor.execute(statement, parameters) mealie | sqlalchemy.exc.IntegrityError: (sqlite3.IntegrityError) UNIQUE constraint failed: users.email mealie | [SQL: INSERT INTO users (id, full_name, username, email, password, auth_method, admin, advanced, group_id, cache_key, login_attemps, locked_at, can_manage, can_invite, can_organize, owned_recipes_id, created_at, update_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)] mealie | [parameters: ('7471e2108c4247aabe1bf7a18d30a5dd', 'Dee', 'admin', '[email protected]', '$2b$12$EFvpHB4KV233p./wnKHhA..yhkH9Zyc/h0nEG4QO8ucFlvCoIyAi2', 'MEALIE', 1, 1, 'bd3b0e735fdd4633a482e9efd2e415a7', '1234', 0, None, 1, 1, 1, None, '2023-12-19 20:09:30.443978', '2023-12-19 20:09:30.443983')] mealie | (Background on this error at: https://sqlalche.me/e/20/gkpj)Mealie Version
Nightly
Build version fae8484f8425199a87ce8e7c694ef8a53c34b8b2
Deployment
Docker (Linux)
Additional Deployment Details
No response
The text was updated successfully, but these errors were encountered: