# HG changeset patch
# User RhodeCode Admin <admin@rhodecode.com>
# Date 2024-03-13 18:46:19
# Node ID 77661e7bceae655957fd0d0ddcdd374e30a7997a
# Parent  adc169b493c11dd8148c5d265c2f1555c72a4fb4

fix(user-models): added extra protection against model username changes that would create duplicates

diff --git a/rhodecode/apps/my_account/views/my_account.py b/rhodecode/apps/my_account/views/my_account.py
--- a/rhodecode/apps/my_account/views/my_account.py
+++ b/rhodecode/apps/my_account/views/my_account.py
@@ -136,6 +136,7 @@ class MyAccountView(BaseAppView, DataGri
         except forms.ValidationFailure as e:
             c.form = e
             return self._get_template_context(c)
+
         except Exception:
             log.exception("Exception updating user")
             h.flash(_('Error occurred during update of user'),
diff --git a/rhodecode/lib/exceptions.py b/rhodecode/lib/exceptions.py
--- a/rhodecode/lib/exceptions.py
+++ b/rhodecode/lib/exceptions.py
@@ -144,6 +144,10 @@ class NotAllowedToCreateUserError(Except
     pass
 
 
+class DuplicateUpdateUserError(Exception):
+    pass
+
+
 class RepositoryCreationError(Exception):
     pass
 
diff --git a/rhodecode/model/user.py b/rhodecode/model/user.py
--- a/rhodecode/model/user.py
+++ b/rhodecode/model/user.py
@@ -37,7 +37,7 @@ from rhodecode.lib.str_utils import safe
 from rhodecode.lib.exceptions import (
     DefaultUserException, UserOwnsReposException, UserOwnsRepoGroupsException,
     UserOwnsUserGroupsException, NotAllowedToCreateUserError,
-    UserOwnsPullRequestsException, UserOwnsArtifactsException)
+    UserOwnsPullRequestsException, UserOwnsArtifactsException, DuplicateUpdateUserError)
 from rhodecode.lib.caching_query import FromCache
 from rhodecode.model import BaseModel
 from rhodecode.model.db import (
@@ -308,6 +308,10 @@ class UserModel(BaseModel):
             log.debug('Checking for existing account in RhodeCode '
                       'database with user_id `%s` ', updating_user_id)
             user = User.get(updating_user_id)
+            # now also validate if USERNAME belongs to potentially other user
+            maybe_other_user = User.get_by_username(username, case_insensitive=True)
+            if maybe_other_user and maybe_other_user.user_id != updating_user_id:
+                raise DuplicateUpdateUserError(f'different user exists with the {username} username')
         else:
             log.debug('Checking for existing account in RhodeCode '
                       'database with username `%s` ', username)