Instead of cleanly rejecting the attempt at using the openid on two distinct accounts, the module returns a MySQL error:
user warning: Duplicate entry '(some openid url)' for key 2 query: INSERT INTO www_authmap (uid, authname, module) VALUES (1, '(some open id url)','openid') in /somepath/www/modules/openid/openid.pages.inc on line 38.
then confirms "Successfully added (some openid url)", although it was obviously not added.
Comment | File | Size | Author |
---|---|---|---|
#26 | 364348-26.patch | 1.57 KB | rpayanm |
#19 | openid_duplicate_key_364348.patch | 1.87 KB | wojtha |
#6 | openid-duplicate-key-3.patch | 7.11 KB | c960657 |
#4 | openid-duplicate-key-2.patch | 7.02 KB | c960657 |
#3 | openid-duplicate-key-1.patch | 6.87 KB | c960657 |
Comments
Comment #1
Leeteq CreditAttribution: Leeteq commentedSubscribing.
Comment #2
fgmStill there in 6.10 and 7.0 UNSTABLE 5
Comment #3
c960657 CreditAttribution: c960657 commentedThis patch catches the duplicate key exception and displays an error message. Also, it doesn't check the identity prior to contacting the OpenID Provider, because the actual claimed_id may different from the one supplied by the user. E.g. if the user just enters "yahoo.com", Yahoo responds with a claimed id that looks something like this: https://me.yahoo.com/a/15_jkHfcSwQSxcvmOujhdYhdsnwW-#a73Px
Comment #4
c960657 CreditAttribution: c960657 commentedI updated the test to add a query string argument instead of a dummy fragment, because the fragment should be stripped according to section 7.2 of OpenID Authentication 2.0 (though they are currently not).
Comment #6
c960657 CreditAttribution: c960657 commentedReroll.
Comment #8
c960657 CreditAttribution: c960657 commentedTest bot glitch.
Comment #10
andypostBot was failed
Comment #12
deekayen CreditAttribution: deekayen commentedtrying out a new testing bot that apparently wasn't working
Comment #13
Gábor HojtsySet #473982: OpenID not checked for duplicity a duplicate of this one.
Comment #14
andypostTested #6 looks fine but needs another review to rtbc
Comment #15
c960657 CreditAttribution: c960657 commented$exception->errorInfo[0] == 23000
is not a reliable way to detect key conflicts across databases - see #505812: PDO uses inconsistant error codes between DBs.Comment #16
skizzo CreditAttribution: skizzo commentedSubscribing. In D6.15 a similar warning is issued when trying to add the same OpenID twice (within the same Drupal user account).
Comment #17
alberto56 CreditAttribution: alberto56 commentedWhen trying to add the same Google OpenID (https://www.google.com/accounts/o8/id) on two different accounts, both attempts create an identity using the currently logged in Google account. Of course, if one wants to have different Google OpenIDs on two different Drupal accounts, one must log out of one Google account after having created the first OpenID, then log into a second Google account before creating the second OpenID, in which case twice entering https://www.google.com/accounts/o8/id will work (both attempts will lead to different OpenID keys). Obvious, yes, but to OpenID newbies this might be confusing -- perhaps the error message might be tweaked to help users understand how OpenID works.
Comment #18
wojtha CreditAttribution: wojtha commentedSubscribing
Comment #19
wojtha CreditAttribution: wojtha commentedSlightly different approach. I'm leaving the validation as it is, becuase it could catch some of the OpenID before whole discovery and authorization process begins and in worst case cost us only one select in DB but should save more DB requests and server load. And I'm not using PDO Exception which is not same for all databases according to #15, but the same approach like in form validation handler.
Comment #20
wojtha CreditAttribution: wojtha commentedComment #21
wojtha CreditAttribution: wojtha commentedTest passed, but drupal.org doesn't respond this time because of network trouble, so the test status wasn't updated.
Comment #22
sun#19: openid_duplicate_key_364348.patch queued for re-testing.
Comment #23
sunSent #19 for re-test against D7. However, this needs to be re-rolled against D8 either way.
Should also be covered by tests.
Comment #24
andypostSuppose we should decide on a way of collision detection - I filed #1376778: Consistent 'duplicate key' detection in core
Comment #25
star-szrIt looks like this bugfix is relevant for D7 so bumping back there because of https://www.drupal.org/node/2116417.
Comment #26
rpayanmComment #27
mgifford@wojtha last commented 4 years ago on this issue.
Thanks for the reroll @rpayanm