Should probably have a unique constraint in the database, or at least active record validation rules.

I'm not sure I see it as a bug. I regularly add test users or add users where I want the password automatically created but not sent to the user by LimeSurvey so I use my email address.

Or maybe just a warning?

It's not about sending out emails, but having the email address being unique for each user.

I understand that. I have expanded my comment slightly.

I am not sure this is a minor thing, as the "minor" severuty implies. Is it?

From all options,, "minor" is the best match for this

In which cases this will be an issue?
I believe it is not a bug. Although strange, is not causing troubles, is it?

Right now, LS has lot of installations which could be impacted by a general change we can introduce.
If needed, we could add a setting to "enforce unique emails for accounts".

I guess if you make a typo in an email address, wrong person would get access to wrong data, and there will be no warning.

I guess if you make a typo in an email address, wrong person would get access to wrong data, and there will be no warning.

Agree. But is that in relation to this ticket?

Someone reported a security issue related to this.

It's not about sending out emails, but having the email address being unique for each user.

LDAP user didn't need email, WebServer user didn't need email.

I guess if you make a typo in an email address, wrong person would get access to wrong data, and there will be no warning.

And ? Why it's an issue ? With or without unique validation : user can make typo .

Someone reported a security issue related to this.

I like to know the security issue here ?

In my opinion : it's not a bug.

Someone reported a security issue related to this.

Maybe related to allow user to connect via email only in AithLDAP ? In my opinion this must be disable (except with a setting maybe)

My 2 cents.

LS doesn't use email as userid.
Now all systems do that.
But LS is kind of old, so LS is username based.

Nowadays, I wouldn't allow 2 users with same email.
Seems strange. Also, everyone expects to be unique now.

So, not a bug. But I would not allow it.

So, not a bug. But I would not allow it.

New global setting option ?

And in case of unicity : we must allow empty email (for webserver or LDAP plugin (and all other plugin without email address).

How do you use (and why it exist) Add dummy user

Capture d’écran du 2023-11-15 11-26-22.png (30,783 bytes)   

Capture d’écran du 2023-11-15 11-26-22.png (30,783 bytes)   

PS : Now all systems do that.

It's false no php forum use email for identity.

How do you use (and why it exist) Add dummy user

That's a good question.
Maybe just add random chars before the '@' as to comply.
like gabriel+123456@example.com

New global setting option ?

At PHP config level maybe.
That's not something to change often.

Maybe just add random chars before the '@' as to comply.

Yes : but currently it was created since years with same email …

I know how to create multiple email address with one account (and i ca nuse + or _ personnaly)

At PHP config level maybe.

Yes, for starting, default to false (allow multiple user with same email).

We still need to allow user with empty email.

Yes : but currently it was created since years with same email …

Not sure what you mean... Still, things can change, right?

Yes, for starting, default to false (allow multiple user with same email).

I would say the other way around.
For new installations, I wouldn't allow same email.

We still need to allow user with empty email.

If email is unique, means email is considered key.
Why would we allow empty then.?

Not sure what you mean... Still, things can change, right?

Yes: but no issue since years with multiple user with same email address. I still waiting for the potential security issue with this behaviour.

I would say the other way around.

Why i really see NO reason to disallow same email for different user

For new installations, I wouldn't allow same email.

How do you now it's a new installation ?

Why would we allow empty then.?

We don't need email for webserver Auth, LDAP Auth etc … Why force something not necessary ? It's an issue since years … Auth plugin

For webserver : we get it form config.php : https://github.com/LimeSurvey/LimeSurvey/blob/5c210ea28a6d14d6e8442eeef75155ed3bdd742a/application/core/plugins/Authwebserver/Authwebserver.php#L127
I already create a fork of AuthLDAP allowing LDAP without email
Shiboiolet don't force email : https://github.com/atlet/LimeSurvey-ShibbolethAuth/blob/174a2234a82586169869d4987e467b6f2ce6b00a/ShibbolethAuth.php#L96
etc …

If you force unicity on email and disallow empty email : you broke 3 plugins … without an option to fix it …

See https://bugs.limesurvey.org/view.php?id=19237

What about unique constraint but allow empty email?

See https://bugs.limesurvey.org/view.php?id=19237

Already answered :
https://bugs.limesurvey.org/view.php?id=19237#c78461

What about unique constraint but allow empty email?

Already answered :
https://bugs.limesurvey.org/view.php?id=18257#c78485

Why i really see NO reason to disallow same email for different user

It is not what the usual people expect today.

We don't need email for webserver Auth, LDAP Auth etc … Why force something not necessary ? It's an issue since years … Auth plugin

I haven't gone that dip. Still, I was picturing to be handled outside of the auth plugins.
Just like any other extra piece of data, as it would be a phone number.
Not sure that's possible though.

What about unique constraint but allow empty email?

Could be good