Currently the Wikimedia login plugin for Discourse "merges" multiple Wikimedia accounts sharing the same email address. While Discourse requires a unique email address for each user, Wikimedia SUL doesn't.
In order to avoid user confusion and potential security weaknesses, it seems a good idea to add a username/email check to the Wikimedia login plugin for Discourse.
- The plugin should check whether the incoming Wikimedia username/email already exists in the Discourse database.
- If none of them exists, a new account would be created.
- If the email already exists but the username doesn't, then an error message would be displayed to the user, like: "There is already an account using this email address. If you want to use more than one account in $SITENAME, then you need to use unique email addresses for each Wikimedia account."
There is the possibility that the username exists but the email address has changed. What should we do in these situations?