Vote #67709
未完了Uniqueness of User model fields is not checked sufficiently
0%
説明
Although, the @User@ model defines @:login@ and @:mail@ as unique, it is not guaranteed that these are indeed unique in the database. Parallel requests can insert the exactly same users (apart from the id) if the transaction overlap.
Therefore I propose to add a unique-index to the database to ensure uniqueness. Also, I propose to always save the login in lowercase to properly use that index. There still has to be checked if that correctly works with the legacy mixed case logins (after r3807, r3813 because of #2473).
journals
Well some kind of check is good, but if the database use some database driver which is transaction save, there shouldn't be some kind of duplicate.
Anyway, a check if the username/mail is available would be good.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Daniel Felix wrote:
> Well some kind of check is good, but if the database use some database driver which is transaction save, there shouldn't be some kind of duplicate.
Well, no. Only the DBMS itself can ensure uniqueness constraints, at least with the transaction level typically used. And if there are no constraints defined, they will not be ensured naturally.
--------------------------------------------------------------------------------
Indeed, the unique indexes are necessary (this is even documented in AR).
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Holger Just wrote:
> Well, no. Only the DBMS itself can ensure uniqueness constraints, at least with the transaction level typically used.
I know Holger, but I think this was some kind of misunderstanding.
With database driver I meaned things like InnoDB (transaction save) and MyIsam (not save, but faster), well it would be better if I called them database engines instead of drivers.
Well even a constraint in the db won't help if the database engine has no transaction support. ;-)
But anyway... beside this... I totally agree with you. This should be handled by some constraint, but there should be still some indicator if this username or mail is already in use before sending the registration to redmine. Just in case of the user friendliness.
--------------------------------------------------------------------------------
Daniel Felix wrote:
> Holger Just wrote:
> > Well, no. Only the DBMS itself can ensure uniqueness constraints, at least with the transaction level typically used.
>
> I know Holger, but I think this was some kind of misunderstanding.
> With database driver I meaned things like InnoDB (transaction save) and MyIsam (not save, but faster), well it would be better if I called them database engines instead of drivers.
>
> Well even a constraint in the db won't help if the database engine has no transaction support. ;-)
Please see #9685 and "AR#validates_uniqueness_of":http://api.rubyonrails.org/classes/ActiveRecord/Validations/ClassMethods.html#method-i-validates_uniqueness_of.
My concern is more about the Users table storing Groups which have no mail...
--------------------------------------------------------------------------------
Allowing a mail adress to be used for different users is often asked for so I don't think it would be a great idea to add a unique index here; about the login there's no MTI in RoR and neither sqlite, mysql or postgresql support unique indexes without considering null values.
So we could either have a table per class (will require more work in more code locations) or fill the login column with the name of the Group (Anonymous type has only one record).
--------------------------------------------------------------------------------
Admin Redmine さんが3年以上前に更新
- カテゴリ を Accounts / authentication_7 にセット
- 対象バージョン を Candidate for next major release_32 にセット