Make WordPress Core

Opened 2 years ago

Last modified 21 months ago

#43232 new defect (bug)

User signups should be marked `active=0` after account is deleted

Reported by: boonebgorges Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0
Component: Users Keywords: 2nd-opinion
Focuses: multisite Cc:
PR Number:


On multisites with open registration, the flow works like this:

  1. User registers as wp-signup.php, which puts an entry into wp_signups with active=0.
  2. When the user clicks the link in the activation email, the wp_users entry is created, and the entry in wp_signups is marked active=1.

Later, if that user's account is deleted - ie the record is removed from the wp_users table - the record in wp_signups is left untouched. This causes problems if the user creates an account, deletes it, and then tries to register again using the same login or email address. https://core.trac.wordpress.org/browser/tags/4.9.2/src/wp-includes/ms-functions.php?marks=503-524#L499

The problem goes away after two days, after which registering with info that matches an existing signup causes the old signup to be deleted in favor of the new one.

That said, it feels like some confusion could be avoided - and the database kept somewhat more internally consistent - by setting active=0 when an account is deleted. Does this seem reasonable to others?

Change History (2)

#1 @pbiron
21 months ago

Setting active=0 would make the database more "internally consistent" but it doesn't actually make "the problem go away".

This is because the queries in wpmu_validate_user_signup() don't bother to check active. So, if a user activates their account, then deletes its and tries to register again (within the 2 day window) they would still get the That username is currently reserved but may be available in a couple of days. error message.

I'm curious: why isn't the relevant row from wp_signups deleted when the user account is delete?

#2 @pbiron
21 months ago

Also, the problem isn't limited to sites "with open registration".

If an account is created via /wp-admin/user-new.php and then deleted via /wp-admin/network/users.php?action=deleteuser&id=ddd the same state of affairs occurs.

Note: See TracTickets for help on using tickets.