Make WordPress Core

Opened 7 years ago

Closed 5 years ago

#43232 closed defect (bug) (fixed)

User signups should be marked `active=0` after account is deleted

Reported by: boonebgorges's profile boonebgorges Owned by: ocean90's profile ocean90
Milestone: 5.5 Priority: normal
Severity: normal Version: 3.0
Component: Users Keywords: 2nd-opinion has-patch
Focuses: multisite Cc:

Description

On multisites with open registration, the flow works like this:

  1. User registers as wp-signup.php, which puts an entry into wp_signups with active=0.
  2. When the user clicks the link in the activation email, the wp_users entry is created, and the entry in wp_signups is marked active=1.

Later, if that user's account is deleted - ie the record is removed from the wp_users table - the record in wp_signups is left untouched. This causes problems if the user creates an account, deletes it, and then tries to register again using the same login or email address. https://core.trac.wordpress.org/browser/tags/4.9.2/src/wp-includes/ms-functions.php?marks=503-524#L499

The problem goes away after two days, after which registering with info that matches an existing signup causes the old signup to be deleted in favor of the new one.

That said, it feels like some confusion could be avoided - and the database kept somewhat more internally consistent - by setting active=0 when an account is deleted. Does this seem reasonable to others?

Change History (6)

#1 @pbiron
7 years ago

Setting active=0 would make the database more "internally consistent" but it doesn't actually make "the problem go away".

This is because the queries in wpmu_validate_user_signup() don't bother to check active. So, if a user activates their account, then deletes its and tries to register again (within the 2 day window) they would still get the That username is currently reserved but may be available in a couple of days. error message.

I'm curious: why isn't the relevant row from wp_signups deleted when the user account is delete?

#2 @pbiron
7 years ago

Also, the problem isn't limited to sites "with open registration".

If an account is created via /wp-admin/user-new.php and then deleted via /wp-admin/network/users.php?action=deleteuser&id=ddd the same state of affairs occurs.

#3 @ocean90
5 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 5.5

It should be okay to delete the signup entry when a user is deleted like done in https://github.com/WordPress/wordpress-develop/pull/295.

#4 @ocean90
5 years ago

#50358 was marked as a duplicate.

#5 @ocean90
5 years ago

In 48313:

Users: Pass the WP_User object to the wpmu_delete_user, delete_user, and deleted_user actions.

See #43232.

#6 @ocean90
5 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 48315:

Multisite: Delete the signup entry when a user is deleted from the database.

When a user has registered with incorrect data and got the account deleted immediately, it currently wasn't possible to register with the same login or email address again due to the existing signup entry. They had to wait for two days until the entry gets automatically deleted. Now the associated signup entry gets deleted as part of the account deletion.

Fixes #43232.

Note: See TracTickets for help on using tickets.