Opened 7 years ago
Closed 5 years ago
#43232 closed defect (bug) (fixed)
User signups should be marked `active=0` after account is deleted
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.5 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Users | Keywords: | 2nd-opinion has-patch |
Focuses: | multisite | Cc: |
Description
On multisites with open registration, the flow works like this:
- User registers as wp-signup.php, which puts an entry into
wp_signups
withactive=0
. - When the user clicks the link in the activation email, the
wp_users
entry is created, and the entry inwp_signups
is markedactive=1
.
Later, if that user's account is deleted - ie the record is removed from the wp_users
table - the record in wp_signups
is left untouched. This causes problems if the user creates an account, deletes it, and then tries to register again using the same login or email address. https://core.trac.wordpress.org/browser/tags/4.9.2/src/wp-includes/ms-functions.php?marks=503-524#L499
The problem goes away after two days, after which registering with info that matches an existing signup causes the old signup to be deleted in favor of the new one.
That said, it feels like some confusion could be avoided - and the database kept somewhat more internally consistent - by setting active=0
when an account is deleted. Does this seem reasonable to others?
Change History (6)
#2
@
7 years ago
Also, the problem isn't limited to sites "with open registration".
If an account is created via /wp-admin/user-new.php
and then deleted via /wp-admin/network/users.php?action=deleteuser&id=ddd
the same state of affairs occurs.
#3
@
5 years ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to 5.5
It should be okay to delete the signup entry when a user is deleted like done in https://github.com/WordPress/wordpress-develop/pull/295.
Setting
active=0
would make the database more "internally consistent" but it doesn't actually make "the problem go away".This is because the queries in wpmu_validate_user_signup() don't bother to check
active
. So, if a user activates their account, then deletes its and tries to register again (within the 2 day window) they would still get theThat username is currently reserved but may be available in a couple of days.
error message.I'm curious: why isn't the relevant row from
wp_signups
deleted when the user account is delete?