@cdorin, when a developer is looking into this, please also make sure to check the LS3 code base. My guess is that the same issue exists there as well.

@TonyMonast, we noted that the same also applies to email addresses (tested with Limesurvey 3.22.27). Usually Limesurvey doesn't allow the same email address for multiple entries at the participant table. But using the API there seems to be no warning or the like. Can you confirm this?

@DenisChenu, what do you think is the best way to deal with this? I think similar to the admin features, the API should throw errors if duplicate tokens or emails are added. In addition we could add additional parameters for enabling/disabling filters for duplicate tokens/emails/..., what do you think?

@Mazi, I confirm that I am able to create two participants with the same email with the JSON_RPC API. You suggested "In addition we could add additional parameters for enabling/disabling filters for duplicate tokens/emails/", do you mean a parameter to allow duplicate entry (email and token) like I'm able to create? If so, note that when there is a duplicate token in the participants list, it causes other bugs like the ones I mentioned. The system assumes that the participant token is unique, and if you allow having a duplicate token, I suppose you will have to change a lot of code to support this.

The JSON_RPC api let you create two participants with the same token.

Exactly the same ? Are you sure you don't have a space ?
See https://github.com/LimeSurvey/LimeSurvey/blob/100f7ffa44d350649074080d33ecddadaa23042d/application/models/Token.php#L366

1. API must validate token
2. Allow multiple with option (like GUI) for email

@Mazi : email adress are not a issue , token are an issue … email adress is a misfeature … (and need a separate mantis number)

1. token : duplicate MUST be disallowed : always . It's a big issue.
2. email : it's a featuire request, need to be allowed.

@DenisChenu Yes, exactly the same token, no space. See the new screenshot.

duplicate-tokens.png (7,667 bytes)   

duplicate-tokens.png (7,667 bytes)   

@DenisChenu,

To reproduce that, you need to do 2 separates calls to the api.

OK:
3.X version : use save() : no way to add token with same code https://github.com/LimeSurvey/LimeSurvey/blob/1ae7e788a9f67c355a884c1fe4b0eb66c43f78da/application/helpers/remotecontrol/remotecontrol_handle.php#L1765
4.X version $token->encryptSave() https://github.com/LimeSurvey/LimeSurvey/blob/100f7ffa44d350649074080d33ecddadaa23042d/application/helpers/remotecontrol/remotecontrol_handle.php#L1812, way to add same code

encryptsave don't validate … https://github.com/LimeSurvey/LimeSurvey/blob/100f7ffa44d350649074080d33ecddadaa23042d/application/models/LSActiveRecord.php#L390

Adding validation to the save operation.

What I have seen is that encryptSave doesn't do validation by default.
I haven't updated that, but shouldn't we? Why it was set to false?

PR: https://github.com/LimeSurvey/LimeSurvey/pull/1534

Uploaded unit test.

Also it is to notice we should, on another story, turn validation = TRUE for the encryptSave.
Also, we could enhance this is with some kind of attribute which tells if the token is encrypted or not as to not double encrpyt or not double decrypt.

When do you plan to merge the code to release a new version that fixes this bug? Currently I either have to modify the code of our LimeSurvey installations or make my application handles duplicates and not LimeSurvey, which makes the code over-complicated for nothing.

Thank you!

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30419

Fixed in Release 4.3.14+200826