Why does Django's User Model set the email field as non-unique? [duplicate]

Question

I am using Django's default User model and the email is not unique, now I have multiple users with the same email address.

You can have User_A with email address [email protected], and then a new user User_B can register with the same email address [email protected].

This doesn't make sense in any programming universe, and it will cause confusion with email-sending functionality, and possible wrong password resets (if a password reset link is sent, with two users sharing the same email address).

This doesn't hold an obvious security vulnerability as I see it because only the original user has control of the original email address, so the attacker will not receive the reset emails.

However, this could result in the original user User_A being locked out of his original account (if he forgets his password) and being prevented of issuing a password reset because Django attempts to reset the new user User_B only. Obviously User_A wants access to his account, not to User_B's account.

1. What is the justification?
2. Obviously the password reset functionality is linked with the email, so if I reset the password based on the email, which user (upon following the password reset link) will be reset?
3. How can I make the email field unique?

Answer 1

The password reset functionality is indeed based on email addresses.

It will send a reset email to all accounts that have a corresponding email.

The context passed to the email template includes the user, so your email reset message may include the username to let the user identify which password this would reset.

---

All of these may be overriden by using:

• A custom password reset form
• A custom user model