Default reference emails to lowercase when comparing to user's email address in credential applications
mscanlan-git opened this issue · comments
Michael Scanlan commented
Currently, users are able to use the same email address for both themselves and their reference as the current check is not case sensitive.
Without publicly revealing the case I discovered this, here's an example:
Personal: test@mit.edu
Reference: Test@mit.edu
The code that checks the email addresses is as followed:
def clean_reference_email(self):
reference_email = self.cleaned_data.get('reference_email')
if reference_email:
if reference_email in self.user.get_emails():
raise forms.ValidationError("""You can not put yourself
as a reference.""")
else:
validate_institutional_email(reference_email)
return reference_email.strip()
Instead of if reference_email in self.user.get_emails():
we should do a comparison with .lower() to default both email addresses to lowercase then compare. This would allow us to prevent this bug from occurring.
Tom Pollard commented
Good catch!