Redmine

+1 (see #8186 for more details)

I vote for this. It would be very useful.

Hi! We have a heavy-used Redmine install at our company and we've found out that most users get confused with those IRC'ish logins, so we needed to patch email login in.
NB: We maintain a patch set we apply after every update, but we think that most of the people will be happy to have email login provided in the official version.

Here is the diff against trunk:

$ svn diff
Index: app/models/user.rb
===================================================================
--- app/models/user.rb    (revision 11691)
+++ app/models/user.rb    (working copy)
@@ -160,7 +160,13 @@

     # Make sure no one can sign in with an empty login or password
     return nil if login.empty? || password.empty?
-    user = find_by_login(login)
+
+    if login.match(/\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/)
+      user = find_by_mail(login)
+    else
+      user = find_by_login(login)
+    end
+
     if user
       # user is already in local database
       return nil unless user.active?

login using email is useful
+1

+1 I maintain a redmine for freelance and personal projects and friends/customers tend to try using their emails.

A few stopped connecting to redmine due to the unmet expectation.

I think this could be an option in `/settings?tab=authentication`

+1

for some people having to remember yet another username is not as trivial as it might sound, and when you use their e-mail as username it is ugly and can even mess with the issues list table's layout

+1

As far as I can see, it has very little impact,and I would not need to modify user.rb file at each update :)

+1

+10000

+1 This is so common these days and people don't have to remember another login.

Marius BALTEANU wrote:

You can already achieve this by using the same email address as login username (attached a screenshot). IMO, current implementation is flexible enough to cover multiple use cases.

If your email address changes you can't change your username which makes it somehow impractical. I also see it more like a second chance to get into your account if you have forgotten your username. It's not particularly a problem of mine but I have users who aren't using Redmine very often and tending to forget their username from time to time.

We also need to consider that an user can have multiple email addresses (which makes a possible implementation more complex).

I think it would be sufficient enough to only check the primary email address.

Thanks Bernhard for clarification.

It should be enough to allow users to login by username or email address, right? without any other impact in application. I'm asking because first time when I read this, I understood that we should have a setting to choose between username and email.

Sorry for my late reply Marius, there seems to be an issue with notification mails on redmine.org.

Marius BALTEANU wrote:

It should be enough to allow users to login by username or email address, right? without any other impact in application.

Yes, that's exactly what I ment. You can find it very often these days for example on GitLab, GitHub, or also on Facebook or Amazon.
It's very convenient to get into your account even if you don't remember your username. I think plan.io has done it the same way, as I can remember.

I think the problem may occur when a user sets another user's email address as their login ID. For example, if there are two users as shown in the table below, which user can sign in with foo@example.com?

A simple (and consistent) solution could be to find a user fiorst by login and then as a fallback by email address. This could be implemented with just the following patch:

diff --git a/app/models/user.rb b/app/models/user.rb
index 0f78a8937a..67704cd162 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -216,7 +216,7 @@ def self.try_to_login!(login, password, active_only=true)
     # Make sure no one can sign in with an empty login or password
     return nil if login.empty? || password.empty?

-    user = find_by_login(login)
+    user = find_by_login(login) || find_by_mail(login)
     if user
       # user is already in local database
       return nil unless user.check_password?(password)

From the example in #note-16, a user trying to login as foo@example.com would thus be logged in as user 12.

Is it safer to enable this feature under a new setting in Administration -> Authentication which should turn on / off this behaviour? We can keep the setting disabled for existing installations and enabled for new installations.

Marius BĂLTEANU wrote in #note-18:

Is it safer to enable this feature under a new setting in Administration -> Authentication which should turn on / off this behaviour? We can keep the setting disabled for existing installations and enabled for new installations.

I think Redmine should now allow the creation of a new user that contains '@' in their login ID if the new setting is enabled.

Suppose that there is a user below. User 11 can sign in with testuser1 or foo@example.com.

If the following user 12 is created, then user 11 will suddenly not be able to sign in with foo@example.com.

I think Redmine should now allow the creation of a new user that contains '@' in their login ID if the new setting is enabled.

Unfortunately it is possible to create new users having a at-sign in the username. This is always a source of trouble, if this is not the user's email which should be also validated against the email property. I would disallow at-sign in usernames to avoid such inconsistencies.

Anyway - in the current implementation it would be safest to add such a config as suggested to turn on / off using `find_by_mail(login)` on login.

I already patch user.rb since 10 years. Would be nice to avoid that and to close this ticket ;-)

P.S.: You should switch your db character set to not fail on specific utf-characters ...