Posted by fgm on January 26, 2009 at 1:16pm
12 followers
| Project: | Drupal core |
| Version: | 8.x-dev |
| Component: | openid.module |
| Category: | bug report |
| Priority: | normal |
| Assigned: | wojtha |
| Status: | needs work |
| Issue tags: | needs backport to D6, needs backport to D7, Needs tests |
Issue Summary
Instead of cleanly rejecting the attempt at using the openid on two distinct accounts, the module returns a MySQL error:
user warning: Duplicate entry '(some openid url)' for key 2 query: INSERT INTO www_authmap (uid, authname, module) VALUES (1, '(some open id url)','openid') in /somepath/www/modules/openid/openid.pages.inc on line 38.
then confirms "Successfully added (some openid url)", although it was obviously not added.
Comments
#1
Subscribing.
#2
Still there in 6.10 and 7.0 UNSTABLE 5
#3
This patch catches the duplicate key exception and displays an error message. Also, it doesn't check the identity prior to contacting the OpenID Provider, because the actual claimed_id may different from the one supplied by the user. E.g. if the user just enters "yahoo.com", Yahoo responds with a claimed id that looks something like this: https://me.yahoo.com/a/15_jkHfcSwQSxcvmOujhdYhdsnwW-#a73Px
#4
I updated the test to add a query string argument instead of a dummy fragment, because the fragment should be stripped according to section 7.2 of OpenID Authentication 2.0 (though they are currently not).
#5
The last submitted patch failed testing.
#6
Reroll.
#7
The last submitted patch failed testing.
#8
Test bot glitch.
#9
The last submitted patch failed testing.
#10
Bot was failed
#11
The last submitted patch failed testing.
#12
trying out a new testing bot that apparently wasn't working
#13
Set #473982: OpenID not checked for duplicity a duplicate of this one.
#14
Tested #6 looks fine but needs another review to rtbc
#15
$exception->errorInfo[0] == 23000is not a reliable way to detect key conflicts across databases - see #505812: PDO uses inconsistant error codes between DBs.#16
Subscribing. In D6.15 a similar warning is issued when trying to add the same OpenID twice (within the same Drupal user account).
#17
When trying to add the same Google OpenID (https://www.google.com/accounts/o8/id) on two different accounts, both attempts create an identity using the currently logged in Google account. Of course, if one wants to have different Google OpenIDs on two different Drupal accounts, one must log out of one Google account after having created the first OpenID, then log into a second Google account before creating the second OpenID, in which case twice entering https://www.google.com/accounts/o8/id will work (both attempts will lead to different OpenID keys). Obvious, yes, but to OpenID newbies this might be confusing -- perhaps the error message might be tweaked to help users understand how OpenID works.
#18
Subscribing
#19
Slightly different approach. I'm leaving the validation as it is, becuase it could catch some of the OpenID before whole discovery and authorization process begins and in worst case cost us only one select in DB but should save more DB requests and server load. And I'm not using PDO Exception which is not same for all databases according to #15, but the same approach like in form validation handler.
#20
#21
Test passed, but drupal.org doesn't respond this time because of network trouble, so the test status wasn't updated.
#22
#19: openid_duplicate_key_364348.patch queued for re-testing.
#23
Sent #19 for re-test against D7. However, this needs to be re-rolled against D8 either way.
Should also be covered by tests.
#24
Suppose we should decide on a way of collision detection - I filed #1376778: Consistent 'duplicate key' detection in core