Prevent to add a link with an FC account already linked with another user (fixes #10791).

2016-05-02 11:30:01 +02:00 · 2016-05-02 11:30:01 +02:00 · 2ed8588583
parent ca29f7564a
commit 2ed8588583
2 changed files with 25 additions and 9 deletions
--- a/src/authentic2_auth_fc/locale/fr/LC_MESSAGES/django.po
+++ b/src/authentic2_auth_fc/locale/fr/LC_MESSAGES/django.po
@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: authentic2-auth-fc 1.0\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-04-15 15:34+0200\n"
+"POT-Creation-Date: 2016-05-02 11:24+0200\n"
 "PO-Revision-Date: 2016-02-29 19:56+0100\n"
 "Last-Translator: Benjamin Dauvergne <bdauvergne@entrouvert.com>\n"
 "Language-Team: french <fr@li.org>\n"
@ -17,7 +17,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"

-#: auth_frontends.py:18
+#: auth_frontends.py:16
 msgid "FranceConnect"
 msgstr "FranceConnect"

@ -112,33 +112,37 @@ msgstr "Délier"
 msgid "Cancel"
 msgstr "Annuler"

-#: views.py:208
+#: views.py:212
 msgid "You refused the connection."
 msgstr "Vous avez refusé la connexion."

-#: views.py:220 views.py:229 views.py:242
+#: views.py:224 views.py:233 views.py:246
 msgid "Unable to connect to FranceConnect."
 msgstr "Impossible de se connecter à FranceConnect."

-#: views.py:299
+#: views.py:300
+msgid "The FranceConnect account {} is already linked with another account."
+msgstr "Le compte FranceConnect {} est déjà associé à un autre compte."
+
+#: views.py:316
 msgid "Your FranceConnect account {} has been linked."
 msgstr "Votre compte FranceConnect {} a été associé."

-#: views.py:305
+#: views.py:322
 msgid "Your local account has been updated."
 msgstr "Votre compte local a été mis à jour."

-#: views.py:320
+#: views.py:337
 msgid ""
 "If you already have an account, please log in, else create your account."
 msgstr ""
 "Si vous avez déjà un compte saisissez vos identifiants ou créez votre compte."

-#: views.py:338
+#: views.py:355
 msgid "FranceConnect didn't provide your email address, please do."
 msgstr "FranceConnect n'a pas fourni votre adresse email, merci de le faire."

-#: views.py:392
+#: views.py:416
 #, python-brace-format
 msgid "The link with the FranceConnect account {fc_account} has been deleted."
 msgstr "La liaison avec le compte FranceConnect {fc_account} a été supprimée"
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@ -291,6 +291,18 @@ class LoginOrLinkView(PopupViewMixin, FcOAuthSessionViewMixin, View):
        registration = True if 'registration' in request.GET else False
        '''Request an access grant code and associate it to the current user'''
        if request.user.is_authenticated():
+            # Prevent to add a link with an FC account already linked with another user.
+            try:
+                fc_account = models.FcAccount.objects.get(sub=self.sub, user__is_active=True)
+                if fc_account.user is not request.user:
+                    msg = 'Attempt to link FC account {} already linked with user {}'
+                    self.logger.info(msg.format(self.sub, fc_account.user))
+                    messages.info(request, _('The FranceConnect account {} is '
+                        'already linked with another account.').format(fc_account))
+                    return self.redirect(request)
+            except models.FcAccount.DoesNotExist:
+                pass
+
            # Old link are deleted
            json_token = json.dumps(self.token)
            self.fc_account, created = models.FcAccount.objects.get_or_create(