Default SOCIAL_AUTH_ASSOCIATE_BY_EMAIL to False to avoid some secury …

…risks (while it's not removed). Closes omab#356

README.rst

@@ -335,9 +335,9 @@ Configuration
 
   It is also possible to associate multiple user accounts with a single email
   address, set value as True to enable, otherwise set as False to disable.
-  This behavior is enabled by default (True) unless specifically set::
+  This behavior is disabled by default (False) unless specifically set::
 
-      SOCIAL_AUTH_ASSOCIATE_BY_MAIL = False
+      SOCIAL_AUTH_ASSOCIATE_BY_MAIL = True
 
 - You can send extra parameters on auth process by defining settings per
   provider, example to request Facebook to show Mobile authorization page,

doc/configuration.rst

@@ -216,9 +216,9 @@ Configuration
 
   It is also possible to associate multiple user accounts with a single email
   address, set value as True to enable, otherwise set as False to disable.
-  This behavior is enabled by default (True) unless specifically set::
+  This behavior is disabled by default (False) unless specifically set::
 
-      SOCIAL_AUTH_ASSOCIATE_BY_MAIL = False
+      SOCIAL_AUTH_ASSOCIATE_BY_MAIL = True
 
 - You can send extra parameters on auth process by defining settings per
   provider, example to request Facebook to show Mobile authorization page,

social_auth/backends/pipeline/associate.py

@@ -15,7 +15,7 @@ def associate_by_email(details, user=None, *args, **kwargs):
 
     warn_setting('SOCIAL_AUTH_ASSOCIATE_BY_MAIL', 'associate_by_email')
 
-    if email and setting('SOCIAL_AUTH_ASSOCIATE_BY_MAIL', True):
+    if email and setting('SOCIAL_AUTH_ASSOCIATE_BY_MAIL', False):
         # try to associate accounts registered with the same email address,
         # only if it's a single object. AuthException is raised if multiple
         # objects are returned