Fix error sending email with capitalization to ApigeeX Org #756
Conversation
shishir-intelli
requested review from
raakesh-blokhra,
giteshk,
phdhiren and
divya-intelli
| * Forcing user email address to lowercase for ApigeeX/Hybrid Org. | ||
| * @see https://github.com/apigee/apigee-edge-drupal/issues/730 | ||
| */ | ||
| function apigee_edge_user_email_check(&$account) { |
There was a problem hiding this comment.
Sorry, but I believe this should be a new field level constraint which would run whenever and wherever $user->validate() or $userl->mail->validate() is called. This would be the standard Drupal/Symfony way or ensuring data consistency.
As a last result, a sanity check could still be executed in apigee_edge_user_presave() to ensure the above described field level validation was actually validated before entity save - because we all know that some IDP integration modules loves to bypass validating the user entity before they save it - and if an email still contains uppercase characters a LogicException (or a subclass of it) could be thrown to prevent user creation. (Which is still better than spending hours on figuring our why they is a Drupal user in the system without a developer account on the Apigee side.)
There was a problem hiding this comment.
I know of a case where the client's LDP was using upper-case characters in every user's email address, which apparently was getting synced with Apigee. The client was reluctant to change the LDP configurations so wrote a hook to convert the new user's email address to lowercase and also an update hook to convert the existing user's email address to lowercase which in turn syncs the developer account Apigee as well.
| // therefore preventing the form from creating account | ||
| // with uppercase email address. | ||
| if (preg_match('/[A-Z]/', $email)) { | ||
| $account->set('mail', strtolower($email)); |
There was a problem hiding this comment.
I have security concerns regarding this approach because I am quite sure that somewhere in the user create/update process it is checked whether the new/changed email address of Drupal user is already belongs to a developer account on Apigee, BUT if that runs before this code then somebody could easily take over a developer account of somebody else by using a uppercase version of the email address.
There was a problem hiding this comment.
Thank you @mxr576 for reviewing this PR.
Do you mean to say, that instead of forcefully converting the email address to lowercase we should put a constraint on the email field so the user gets an error message while user create/update if capitalized email address found for Apigee-X Org.
There was a problem hiding this comment.
Yes, exactly - And developer sync is also going to fail (it already works like this) when entity validation fails.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## 2.x #756 +/- ##
=========================================
Coverage 44.85% 44.85%
Complexity 3047 3047
=========================================
Files 345 345
Lines 11178 11178
=========================================
Hits 5014 5014
Misses 6164 6164 |
|
Just wanted to check in on this issue and see if there's any further movement on this...? Looking at this PR, I would not be expecting this module to control how I am storing a user email in my Drupal site. I guess, to me, the fix I would expect is simply that, when sending an email over to Apigee, that it's transformed to lowercase at that time. Leave it stored in whatever case it's stored in on Drupal... Is that not viable? |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Hi Apigee team - Is there any direction on this pull request? This has been open for more than a year now, with little discussion. There are some valid discussions that are still open here. What are the next steps to move this issue forward? |
|
Hi @dpagini , |
|
Hi @shishir-intelli I checked with other cases also, |
|
Please note that this approach goes against the SMTP standard: https://datatracker.ietf.org/doc/html/rfc5321#section-2.4 clearly says:
If this gets merged, all kind of breaks are expected, not only in Drupal, but also in receiving emails, etc. |
|
Hi @boobaa We are planning to add the following to avoid the duplicate developers with same email ids. During new user creation - Add a duplicate email id check (Includes a check with lists of existing developers in that X org) If you have any other additional to-dos, we are open for a discussion over here. |
|
Do not forget about email changing in the Drupal UI, that should be also handled... But not even Drupal core handles that (still) https://www.drupal.org/node/85494 Even if think this auto-lowercasing is a bad idea... Let me try to imagine how this could work securely... Before the lowercased email is saved, the ownership must be confirmed via opening a verification link from the mailbox or similar. |
|
I'm not sure I agree with this approach, either. |
|
This issue has been resolved here #1050 |
Closes #730
As ApigeeX Org is not accepting capitalized email address, we are forcing lowercase email addresses for Apigee-X Org to prevent error.