Prevent duplicate account links from being created by swapping logins and then…
b038041dc600
Actions

Authored by epriestley <git@epriestley.com> on Oct 24 2015, 13:50.

Description

Prevent duplicate account links from being created by swapping logins and then refreshing the link

Summary:
Fixes T6707. Users can currently do this:

Log in to a service (like Facebook or Google) with account "A".
Link their Phabricator account to that account.
Log out of Facebook, log back in with account "B".
Refresh the account link from Settings → External Accounts.

When they do this, we write a second account link (between their Phabricator account and account "B"). However, the rest of the codebase assumes accounts are singly-linked, so this breaks down elsewhere.

For now, decline to link the second account. We'll permit this some day, but need to do more work to allow it, and the need is very rare.

Test Plan:

Followed the steps above, hit the new error.
Logged back in to the proper account and did a link refresh (which worked).

{F905562}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T6707

Differential Revision: https://secure.phabricator.com/D14319

Details

Committed

epriestley <git@epriestley.com>

Oct 24 2015, 13:50

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH4afeebe83489: Don't store IP addresses in content sources

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHb038041dc600: Prevent duplicate account links from being created by swapping logins and then… (authored by epriestley <git@epriestley.com>).Oct 24 2015, 13:50

Changes (1)

				Path
	M			src/applications/auth/controller/PhabricatorAuthLoginController.php

rPHb038041dc600

View Options

src/applications/auth/controller/PhabricatorAuthLoginController.php