You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: rasher [Submitted to the original trac issue database at 9.55pm, Sunday, 11th December 2011]
I recently talked to a mapper who was having trouble recovering his password so he could accept ODbL. It turned out when he signed up, he had used a different case than usual when entering his email address, and the password recovery process is case sensitive.
I've found that signup is also case-sensitive. I managed to signup for two accounts on the api06.dev using RASHER@gmail and rasher@gmail.
Now, email is by standard case-sensitive on the local name part, so you could say we're following the standard, and be done with it. However, this is rarely - if ever - the case on mail servers in "the real world", and I suspect most users don't expect it, so I think there's still room to question whether this is a good idea.
A few possible things to do:
Make sign-up case-insensitive. This could probably be done without other harm than offending the standards, I suspect.
Make password-recovery case-insensitive. This becomes problematic if there are already accounts in the db using the same email with different case for the local name part.
Make password-recovery as case-insensitive as possible. Look up accounts matching the entered email address case-insensitively. If there's a single match, we act case-insensitively. If there are more than one match, require a case sensitive match as well. This gets around the problem of existing "double" accounts, at the cost of somewhat unexpected behaviour for those users.
The text was updated successfully, but these errors were encountered:
Author: TomH [Added to the original trac issue at 10.53am, Monday, 12th December 2011]
We know that being case sensitive is not ideal, but it happened accidentally and by the time we realised there were duplicates in the database and it became very hard to do anything about it.
Basically only the third of your suggestions is realistically possible without somebody doing a lot of work to remove the duplicates.
Author: rasher [Added to the original trac issue at 11.04am, Monday, 12th December 2011]
Wouldn't the first option be possible as well? That is, preventing further such "duplicate" accounts?
Of course, all these points go for people using their email to log in as well, which I somehow overlooked.
As far as I can tell, implementing near-case-insensitivity for login and password recovery would only result in things working more as expected for the vast majority of users, and for unchanged behaviour for those with a "duplicate" account.
Only real problem I can see (besides needing someone to actually ''do'' it, of course) is if these two groups of people start talking to eachother.
Author: TomH [Added to the original trac issue at 11.19am, Monday, 12th December 2011]
Probably, but it would have to be done very carefully to ensure that we didn't make it impossible for existing users to change their settings.
There is also the small fact that we would to bypass rails and do postgres specific hacks in the migrations to make this work as we would need to add function indexes on the user table.
Author: TomH [Added to the original trac issue at 3.17pm, Wednesday, 14th December 2011]
Display names and email address are now required to be case insensitively unique when creating a new account or changing the name or address on an existing account.
In addition both login and password recovery will now allow a case insensitive match on the username so long as the match is unique - if it isn't unique then the entered name must match exactly.
Reporter: rasher
[Submitted to the original trac issue database at 9.55pm, Sunday, 11th December 2011]
I recently talked to a mapper who was having trouble recovering his password so he could accept ODbL. It turned out when he signed up, he had used a different case than usual when entering his email address, and the password recovery process is case sensitive.
I've found that signup is also case-sensitive. I managed to signup for two accounts on the api06.dev using RASHER@gmail and rasher@gmail.
Now, email is by standard case-sensitive on the local name part, so you could say we're following the standard, and be done with it. However, this is rarely - if ever - the case on mail servers in "the real world", and I suspect most users don't expect it, so I think there's still room to question whether this is a good idea.
A few possible things to do:
The text was updated successfully, but these errors were encountered: