Make WordPress Core

Opened 19 years ago

Closed 15 years ago

#1626 closed defect (bug) (fixed)

user_nicename should be unique

Reported by: claudem's profile claudem Owned by: pishmishy's profile pishmishy
Milestone: 2.8 Priority: normal
Severity: normal Version: 1.5.1.2
Component: General Keywords: has-patch tested dev-feedback
Focuses: Cc:

Description

When registering new users, WP should check that the sanitized version of the username (user_nicename) is unique in the DB. If this check is not made, we can end up with two different users sharing the same user_nicename.

This is a problem if the permalinks are built with author names (/%author%/...). There is potential for ambiguity in this situation if two username result in the same niice name.

Example: "user-1" and "user 1" both get the same nice name: "user-1".

I recommend to make the user_nicename column unique, like user_login.

Attachments (4)

wp_check_nicename.diff (3.5 KB) - added by charleshooper 17 years ago.
Adds user_nicename checks to WP
wp_check_nicename2.diff (3.5 KB) - added by charleshooper 17 years ago.
Adds user_nicename checks to WP, with caching
1626.patch (2.0 KB) - added by pishmishy 16 years ago.
Modifies username_exists() and adds get_user_by_nicename()
1626.diff (1.0 KB) - added by Denis-de-Bernardy 15 years ago.

Download all attachments as: .zip

Change History (34)

#1 @claudem
19 years ago

  • Cc claude@… added

#2 @claudem
19 years ago

Of course, there is an issue for ugrades: if there are already duplicate nicenames in wp-users, the script that adds the unique constraint will fail. Therefore, this request may be a documented issue that administrator can enforce by adding a constraint to the users table.

#3 @markjaquith
19 years ago

That would mean that nicknames have to be unique (well, more than unique). You can't have someone with a nickname of "User" and someone with a nickname of "user" or someone with a nickname of "This User" and somone with a nickname of "this-user"

Maybe it should just work that when you update your profile, it won't let you choose an existing sanitized nickname. Place that already have it will have problems, and they'll be able to fix them the next time they edit their profiles.

#4 @markjaquith
19 years ago

we also might consider that having the permalink be based on something that can be changed on a whim isn't really such a good idea. These links are far from "perma." Using a sanitized login would be better.

#5 @claudem
19 years ago

Just to be sure we are understanding each other, I was in fact talking about "nice" name. Not "nick" name. The nicename is not editable and it is the sanitized version of the username.

Thus, this field could be used as a permalink since it cannot change over time. We only have to be sure it is unique.

#6 @Nazgul
18 years ago

  • Keywords needs-patch added
  • Milestone set to 2.1

#7 @matt
18 years ago

  • Milestone changed from 2.1 to 2.2

#8 @charleshooper
17 years ago

  • Cc charleshooper added

#9 @charleshooper
17 years ago

  • Keywords has-patch needs-testing 2nd-opninion added; needs-patch removed
  • Owner changed from anonymous to charleshooper
  • Status changed from new to assigned
  • Version changed from 1.5.1.2 to 2.1

I've added a patch for 2.1 to fix this. The patch adds a nicename_exists() function, which relies on another function I just added: get_userdatabynicename(). This function works the exact same way as get_userdatabylogin() however it checks user_nicename, which is always derived from sanitize_title ( user_login ) .

get_userdatabynicename() does not currently use any caching. I could change that, but I think that is better suited for 2.2 where caching has been fixed up a bit.

#10 @foolswisdom
17 years ago

  • Version changed from 2.1 to 1.5.1.2

Don't update the version, that is the version where it was first reported against. Not that it often matters.

#11 @charleshooper
17 years ago

Whoops, my bad.

Should the database schema also be modified to create a UNIQUE index on wp_users.user_nicename?

@charleshooper
17 years ago

Adds user_nicename checks to WP

@charleshooper
17 years ago

Adds user_nicename checks to WP, with caching

#12 @charleshooper
17 years ago

For whatever reason my new patch wasn't getting posted (or maybe it was just cached) whenever I tried to upload it with the same filename, so I posted the one labeled wp_check_nicename2.diff, ignore the first one please, I made an error.

#13 @johnbillion
17 years ago

#3965 has been marked a duplicate of this bug.

#14 @foolswisdom
17 years ago

  • Milestone changed from 2.2 to 2.3

#15 @westi
17 years ago

  • Keywords has-patch removed

Current patch does not apply cleanly - removing has-patch

If we are to do the validation of user_nicename it should be done in wp_insert_user I think we a check against the cache/db in there.

#16 @ryan
17 years ago

  • Milestone changed from 2.3 to 2.4 (next)

#17 @hansengel
16 years ago

  • Keywords 2nd-opinion added; 2nd-opninion removed

#18 @pishmishy
16 years ago

  • Keywords needs-patch added; needs-testing 2nd-opinion removed
  • Owner changed from charleshooper to pishmishy
  • Status changed from assigned to new

I think we could use the pre_user_nicename filter to check for uniqueness.

#19 @pishmishy
16 years ago

  • Status changed from new to assigned

#20 @pishmishy
16 years ago

  • Keywords has-patch needs-testing dev-feedback added; needs-patch removed

We don't use the pre_user_nicename filter, just modify username_exists() to make sure another user doesn't have the same nicename. Adds a function to retrieve user data based on nicename.

I'm not entirely sure how this would effect upgrades to an installation where nice-names are already conflicting, so tagged as needs-testing and dev-feedback.

@pishmishy
16 years ago

Modifies username_exists() and adds get_user_by_nicename()

#21 follow-up: @pishmishy
16 years ago

I'm almost tempted to close this one. A solution has been offered up but there doesn't appear to be too many people calling for it.

#22 @claudem
16 years ago

  • Cc claudem added; claude@… removed

#23 @johanee
15 years ago

wp_cache_add($nicename, 0, 'useremail') should probably be 'usernicename' (if this patch is ever merged...).

#24 in reply to: ↑ 21 @superann
15 years ago

Replying to pishmishy:

I'm almost tempted to close this one. A solution has been offered up but there doesn't appear to be too many people calling for it.

I'm calling for it! I just ran into this problem, which I wrote about on the support forums. Would love to see this fixed as the duplicates prevent access to some author pages via the permalink url for users who registered via the normal process, which I would think should classify as a bug.

#27 @Denis-de-Bernardy
15 years ago

  • Keywords tested added; needs-testing removed
  • Milestone changed from 2.9 to 2.8

new patch processes the user nicename in much the same way as post names, to ensure they're unique.

one advantage over previous patches is that this'll continue to work with old installs: the non-unique nicenames will coexist harmlessly, until one of the users with a dup nicename is updated.

#29 @Denis-de-Bernardy
15 years ago

err, woops, that was #4170

#30 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [10997]) Make user_nicenames unique. Props Denis-de-Bernardy. fixes #1626

Note: See TracTickets for help on using tickets.