Prohibit re-registration

Author: Marishka17

cvat/apps/iam/serializers.py

@@ -13,12 +13,13 @@
 from django.conf import settings
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError as DjangoValidationError
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema_field
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from cvat.apps.iam.forms import ResetPasswordFormEx
-from cvat.apps.iam.utils import get_dummy_user
+from cvat.apps.iam.utils import get_dummy_or_regular_user
 
 
 class RegisterSerializerEx(RegisterSerializer):
@@ -60,8 +61,16 @@ def save(self, request):
         adapter = get_adapter()
         self.cleaned_data = self.get_cleaned_data()
 
+        dummy_user, regular_user = get_dummy_or_regular_user(self.cleaned_data["email"])
+        # A regular user registered via standard sign-up or social login method;
+        # has an unverified email address
+        if regular_user:
+            raise serializers.ValidationError(
+                _("A user is already registered with this e-mail address.")
+            )
+
         # Allow to overwrite data for dummy users
-        user = get_dummy_user(self.cleaned_data["email"]) or adapter.new_user(request)
+        user = dummy_user or adapter.new_user(request)
 
         user = adapter.save_user(request, user, self, commit=False)
         if "password1" in self.cleaned_data:

cvat/apps/iam/tests/test_rest_api.py

@@ -12,8 +12,8 @@
 
 from cvat.apps.engine.tests.test_rest_api import create_db_users
 from cvat.apps.engine.tests.utils import ApiTestBase
-from cvat.urls import urlpatterns as original_urlpatterns
 from cvat.apps.iam.views import ConfirmEmailViewEx
+from cvat.urls import urlpatterns as original_urlpatterns
 
 urlpatterns = original_urlpatterns + [
     re_path(

cvat/apps/iam/utils.py

@@ -33,21 +33,34 @@ def add_opa_rules_path(path: Path) -> None:
     get_opa_bundle.cache_clear()
 
 
-def get_dummy_user(email):
+def get_dummy_or_regular_user(email: str):
+    """
+    A dummy user is created by CVAT when an invitation to an organization is sent.
+
+    A user is considered a dummy if:
+    - There is only one User object with the given email
+    - The User object has an unusable password which starts with the UNUSABLE_PASSWORD_PREFIX ("!")
+    - The User object has no linked EmailAddress object
+    """
     from allauth.account.models import EmailAddress
     from allauth.account.utils import filter_users_by_email
 
     users = filter_users_by_email(email)
-    if not users or len(users) > 1:
-        return None
+    if not users:
+        return None, None
+
+    assert len(users) == 1, "More than one user has this email"
+
     user = users[0]
     if user.has_usable_password():
-        return None
+        return None, user
     try:
         EmailAddress.objects.get_for_user(user, email)
     except EmailAddress.DoesNotExist:
-        return user
-    return None
+        return user, None
+
+    # account was created using social login
+    return None, user
 
 
 def clean_up_sessions() -> None:

cvat/apps/iam/views.py

@@ -29,9 +29,13 @@
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 
+from cvat.apps.engine.log import ServerLogManager
+
 from .authentication import Signer
 from .utils import get_opa_bundle
 
+slogger = ServerLogManager(__name__)
+
 
 @extend_schema(tags=["auth"])
 @extend_schema_view(
@@ -101,9 +105,9 @@ def post(self, request, *args, **kwargs):
             # because redirect will make a POST request and we'll get a 404 code
             # (although in the browser request method will be displayed like GET)
             return HttpResponseBadRequest("Unverified email")
-        # TODO: check why we need to handle exceptions here
-        except Exception:  # nosec
-            pass
+        # FUTURE-TODO: check why we need to handle exceptions here
+        except Exception as ex:
+            slogger.glob.warning(str(ex), exc_info=True)
 
         self.login()
         return self.get_response()

cvat/apps/organizations/serializers.py

@@ -12,7 +12,7 @@
 from rest_framework import serializers
 
 from cvat.apps.engine.serializers import BasicUserSerializer
-from cvat.apps.iam.utils import get_dummy_user
+from cvat.apps.iam.utils import get_dummy_or_regular_user
 
 from .models import Invitation, Membership, Organization
 
@@ -143,8 +143,8 @@ def update(self, instance, validated_data):
 
     def save(self, request, **kwargs):
         invitation = super().save(**kwargs)
-        dummy_user = get_dummy_user(invitation.membership.user.email)
-        if not to_bool(settings.ORG_INVITATION_CONFIRM) and not dummy_user:
+        _, regular_user = get_dummy_or_regular_user(invitation.membership.user.email)
+        if not to_bool(settings.ORG_INVITATION_CONFIRM) and regular_user:
             invitation.accept()
         else:
             invitation.send(request)