<p></p>
<p><b>@milan-cvetkovic</b> commented on this pull request.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1479872612">app/controllers/users_controller.rb</a>:</p>
<pre style='color:#555'>> @@ -290,8 +241,23 @@ def auth_success
else
failed_login t("sessions.new.auth failure")
end
+ elsif user.nil? && user = User.find_by(:email => email)
+ user[:auth_uid] = uid
+ user[:auth_provider] = provider
+ user.save!
+
+ user.deactivate! if user.status == "active" && !email_verified
+
+ if user.status == "active"
+ successful_login(user)
+ else
+ session[:token] = user.tokens.create.token
+ UserMailer.signup_confirm(user, user.tokens.create(:referer => session[:referer])).deliver_later
+ redirect_to :controller => :confirmations, :action => :confirm, :display_name => user.display_name
+ end
</pre>
<p dir="auto">I agree with you that this is indeed a tricky scenario. I am not really a fan of hijacking the existing account once you signin successfully with social account with same email address.</p>
<blockquote>
<p dir="auto">There's a definite problem here, that I had a case of only this week, where somebody tries a social signup and they already have an account but I think we need to send a confirmation email in all cases and probably make it a different one saying that we need to confirm the social signup link and just use it to confirm the link rather than doing a deactivate first.</p>
</blockquote>
<p dir="auto">I suspect user already had an OSM account and tried logging in with social account, with desire to add an alternate method of signing in. The functionality to do this already exists, by modifying in the "External Authentication" in settings.</p>
<blockquote>
<p dir="auto">There's a definite problem here, that I had a case of only this week, where somebody tries a social signup and they already have an account but I think we need to send a confirmation email in all cases and probably make it a different one saying that we need to confirm the social signup link and just use it to confirm the link rather than doing a deactivate first.</p>
</blockquote>
<p dir="auto">This seems like a complex approach to me, since the confirmation email process currently practically only activates the account.</p>
<p dir="auto">I suggest we step back and simply detect this scenario, and suggest the user to actually login with their email account/password, and modify their settings to include social sign in? This would also eliminate the scenarios where the user already uses a different social signup.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1479872612">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLJDAV2TNVOZ25XDPUTYSI2TNAVCNFSM6AAAAABBLOL2OWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTQNRVGMYDKMJUGY">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLOW7VSW4NO6LH3LFKLYSI2TNA5CNFSM6AAAAABBLOL2OWWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTTPFZGDU.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4455/review/1865305146</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1479872612",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1479872612",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>