wp_insert_user allows the new user to have a username equal to an already registered email

[buutqn]

Scenario:

User A is an administrator, has username = 'admin' and email = 'admin@…';
User B registers (open to register wp install) with username = 'admin@…' and email = 'test@…';

In my case, i use both users, one to admin the website, and the other to simulate an customer user. Both users had same password.

When i tried to log in with administrator user by email, i end up logged in the as user B.

Then i changed User B password to not conflict, and it works as it should, if i set user A password it gets logged in as user A and if i use User B password it gets logged in as User B.

I don't think this is a security issue, but allowing an user to be registered with another users email as username could be annoying and confuse some website administrators for scams or something else.

To solve this issue, i just filtered username_exists filter and checked if the username was existing email.

public function __construct() {
    add_filter("username_exists", array($this, "username_exists"));
}

public function username_exists($user_id, $username) {
    if (email_exists($username)) {
        $user = get_user_by("email", $username);
        if ($user->exists()) {
            return $user->ID;
        }
    }
    return $user_id;
}

[dunhakdis]

I was able to reproduce the same behaviour. I think it should throw a WP_Error if the supplied username already exists as an email of an existing user.

The same behaviour can be reproduced with wp-login.php?action=register form.

Added a patch.

[dunhakdis]

Added check to determine if username supplied already exists as an email of an existing user.

---
Trac ticket: https://core.trac.wordpress.org/ticket/57394

@mukeshpanchal27 Thanks. I've applied your suggestions as commit. Cheers

[dunhakdis]

Updated diff from @mukeshpanchal27 comments

[roytanck]

A possible privacy concern could be that this would allow a bad actor to try entering email addresses until it hits the new error message (assuming an open registration form). They would then know that that address is in use.

[dunhakdis]

I think that is also true for the default WordPress registration form with or without these changes.

Hi @adamsilverstein, @JosephGabito I added a unit test for this fix.

[ajayver]

Created a unit test that attempts to create a new user with admin email as a username.

[dunhakdis]

@ajayver , Thanks for adding a unit-test.

Trac ticket: https://core.trac.wordpress.org/ticket/57394

[ajayver]

This patch includes both the fix and unit tests and the code standards fix.

Fixed the failing code standards issue.

[adamsilverstein]

In 55358:

Login and Registration: prevent registering with username that matches previous user email.

When registering a new user, check that no existing user has an email matching the username.

Prevents a login name collision when one user registers with the email address user@… and a second user tries to register with the username user@….

Props buutqn, dunhakdis, roytanck, ajayver.
Fixes #57394.

Trac ticket: https://core.trac.wordpress.org/ticket/57394

[SergeyBiryukov]

In 55360:

Users: Correct the error code in wp_insert_user() when login matches an existing email.

Move the test next to the other tests for user_login.

Follow-up to [55358].

See #57394.

This patch improves the logic around the username checks added in WP 6.2, to make sure the check doesn't cause issues when updating a user.

Trac ticket: https://core.trac.wordpress.org/ticket/57967

Thanks @costdev, applied and updated

[audrasjb]

Reopening this ticket as changesets [55358] and [55360] are probably going to be reverted, due to an issue reported in ticket #57967.

Wondering if this PR should be repurposed or a new one opened to implement the logic discussed in ​https://github.com/WordPress/wordpress-develop/pull/4257#discussion_r1144203722 and the following comments.

[hellofromTonya]

@audrasjb are you still planning to commit the reverts?

[audrasjb]

In 55584:

Login and Registration: Revert [55358] and [55360].

This reverts the changes implemented in [55358] and [55360].

Changeset [55358] was committed to prevent login name collision when one user registers with the email address user@example.com and a second user tries to register with the username user@example.com. However, it also introduced a potential backward compatibility issues for plugins that use wp_update_user(). When updating an existing user, it throws an existing_user_email_as_login error if the email address is also used for the user login, due to the code introduced in [55358].

This changeset removes the new scenario added in [55358] and [55360], restoring the wp_insert_user() function back to its previous state.

Props polevaultweb, audrasjb, costdev, peterwilsoncc, hellofromTonya, SergeyBiryukov, azaozz.
See #57967, #57394.

[hellofromTonya]

Marking for double committer sign-off.

[hellofromTonya]

[55584] is ready for backport to 6.2 branch.

[audrasjb]

In 55585:

Login and Registration: Revert [55358] and [55360].

This reverts the changes implemented in [55358] and [55360].

Changeset [55358] was committed to prevent login name collision when one user registers with the email address user@example.com and a second user tries to register with the username user@example.com. However, it also introduced a potential backward compatibility issues for plugins that use wp_update_user(). When updating an existing user, it throws an existing_user_email_as_login error if the email address is also used for the user login, due to the code introduced in [55358].

This changeset removes the new scenario added in [55358] and [55360], restoring the wp_insert_user() function back to its previous state.

Props polevaultweb, audrasjb, costdev, peterwilsoncc, hellofromTonya, SergeyBiryukov, azaozz.
Reviewed by hellofromTonya.
Merges [55584] to the 6.2 branch.
See #57967, #57394.

[hellofromTonya]

The changesets have been reverted. Additional considerations are needed to address the issue raised #57967 and potentially other scenarios.

With 6.2 Dry Run and final release next week, it's too late in the cycle to continue working on this. Moving to 6.3.

[agnieszkaszuba]

Test Report

This report validates that the indicated patch addresses the issue.

Patch tested: https://core.trac.wordpress.org/ticket/57394

Environment

• OS: macOS 13.0.1
• Web Server: Nginx
• PHP: 7.4.24
• WordPress: 6.3-alpha-55505-src
• Browser: Chrome 109.0.5414.119 (Official Build) (x86_64)
• Theme: Twenty Twenty-Three
• Active Plugins: -

Actual Results

• ✅ Issue resolved with patch.

Additional Notes

Supplemental Artifacts

Trac ticket: https://core.trac.wordpress.org/ticket/57394

[adamsilverstein]

​https://github.com/WordPress/wordpress-develop/pull/4749 includes a new fix for this: the additional check is only applied when a new user is being created - and not for user updates.

[costdev]

Splits the test method into two separate tests, with documentation updates and $message parameters for multiple assertions.

[costdev]

@adamsilverstein I've submitted 57394-tests-updated.diff with some test updates. Feel free to add them to ​PR 4749 if you want to keep everything together. 🙂

[chaion07]

Thanks @buutqn for reporting this. We reviewed this ticket during a recent bug-scrub session and based on the feedback received we are keeping the milestone intact for another 6 hours hoping that someone would volunteer. Otherwise we are happy to update the milestone to 6.4

Props to @mukesh27 & @oglekler

[audrasjb]

Moving to 6.4 as we're approaching 6.3 RC1.

Checking for username and email conflicts for new users and units tests

Trac ticket: https://core.trac.wordpress.org/ticket/57394

[rajinsharwar]

Adding another updated PR with the changes in wp-admin/includes/user.php. Because there are some warnings shown while trying to create a user with the same email as the username if we don't make these updated changes. Requesting a review. Added the unit tests from @costdev in the PR as well, to keep it all in one place.

[rajinsharwar]

Test Report

This report validates that the indicated patch addresses the issue.

Patch tested: https://core.trac.wordpress.org/ticket/57394

Environment

OS: Windows 11
Web Server: Nginx
PHP: 8.1.9
WordPress: 6.3
Browser: Chrome 115.0.5790.171 (Official Build) (64-bit)
Theme: Twenty Twenty-Three
Active Plugins: - none

Actual Results

✅ Issue resolved with the patch (PR: 5032​https://github.com/WordPress/wordpress-develop/pull/5032). No errors/warnings were triggered.

Attachments

[rajinsharwar]

Let's make this new patch test further by some more people, then I guess, we can put this for commit.

[brianhenryie]

Single test confirming the error message is shown when attempting to register a second user with the first user's email address as username

[rajinsharwar]

Great, we can put this for commit then I believe @audrasjb

[hellofromTonya]

A 6.4 Beta 5 is tentatively scheduled for tomorrow (Oct 16th) and RC1 is the next day (Oct 17th).

@audrasjb is this ready for commit? Are you planning to commit it?

[ironprogrammer]

Test Report

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/5032 👍🏻

Environment

• Hardware: MacBook Pro Apple M1 Pro
• OS: macOS 13.6
• Browser: Safari 16.6
• Server: nginx/1.25.2
• PHP: 8.2.11
• WordPress: 6.4-alpha-56267-src
• Theme: twentytwentythree v1.2

Actual Results

• ✅ Unable to create a new user (/wp-admin/user-new.php) with a username that matches an existing user's email. An error error message is returned (Figure 1).
• ✅ Unable to register a new user (/wp-login.php?action=register) with a username that matches an existing user's email. An error error message is returned (Figure 2).

Supplemental Artifacts

Figure 1: New User result if username admin with email admin@example.com already exists.

Figure 2: Registration result if username admin with email admin@example.com already exists.

[ironprogrammer]

@brianhenryie, thank you for the e2e test (attachment:57394-create-username.test.js.diff​) 🙌🏻

I think this would be good to include alongside this update, but now that ​all Core tests have been migrated to Playwright, this could be refreshed as a follow-up ticket to possibly merge during RC.

[hellofromTonya]

In reviewing ​the patch and this ticket's history, it's not clear to me that the patch addresses the ​additional concerns shared here, concerns that lead to the original patch being reverted (i.e. reported in #57967).

Given that tomorrow is RC1, I think this ticket needs more time and consideration to ensure it handles the different scenarios. Moving it to 6.5. However, if there is confirmation that yes indeed all scenarios are resolved before RC1, then please move it back into 6.4.

[sumitbagthariya16]

Test Report
Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/5032
---

Environment
OS: macOS 13.3
Browser: Chrome
Web Server: Nginx 1.20.2
PHP: 8.0.30
WordPress: 6.4.1
Theme: Twenty Eleven v4.5

Screenshot:
​https://prnt.sc/_rq2qHrcej8n

[rajinsharwar]

Punting this for Future Releases, as the patch still needs some work to be done.

[SirLouen]

Additional Test Report

Description

❌ This report can't validate that the indicated patch works as expected.

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/5032.diff

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.2.28
• Server: nginx/1.27.5
• Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
• Browser: Chrome 137.0.0.0
• OS: Windows 10/11
• Theme: Twenty Twenty-One 2.5
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Testing Steps (New Scenario)

1. Create a user with username: test@… and email test@…
2. Create a user with username: foo and email foo@…
3. Edit the user foo and change the email to test@…
4. 🐞 Email can be set to the username of the first user.

Expected Results

• Impossible to have the same email to an username

Actual Results

1. ❌ Issue is not resolved with patch.

Additional Notes

• I have not repeated the on creation tests because we have already multiple reports.

• Capitalizing on the comment by Tonya, @costdev suggested that extra things should be checked, both in the patch and the unit tests. At this moment, we are are only accounting for creation, but not for editing. Citing costdev:

We only allow updating if:
Context: Updating with a unique username
The username doesn't exist
Context: Updating with a unique email address
The email address doesn't exist
Context: Updating a user without changing the username or email address
The username exists, but for the same user.
The email address exists, but for the same user.
Context: Updating a user to make the username and email address match
The username exists as an email address, but it's for the same user.
The email address exists as a username, but it's for the same user.

• There were some extra e2e tests added here and not included in the patch: https://core.trac.wordpress.org/attachment/ticket/57394/57394-create-username.test.js.diff that could need to be refreshed by @brianhenryie

Trac ticket: https://core.trac.wordpress.org/ticket/57394