[wp-trac] [WordPress Trac] #44347: WP allows creating username that is already used email address

WordPress Trac noreply at wordpress.org
Sun Jun 10 23:20:34 UTC 2018 

#44347: WP allows creating username that is already used email address
---------------------------+------------------------------
 Reporter:  phillipburger  |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Users          |     Version:
 Severity:  normal         |  Resolution:
 Keywords:                 |     Focuses:
---------------------------+------------------------------

Comment (by phillipburger):

 Thanks! Yeah, I guess when you allow end users to input information, they
 will find the bugs.

 I was using a check similar to the example on
 https://developer.wordpress.org/reference/functions/wp_create_user/#user-
 contributed-notes which checks:

 1. does the username entered exist as a username
 2. does the email entered exist as an email address

 but it forgot to check the other 2 ways of:

 3. does the username exist as an email address (the problem I had in this
 case)
 4. does the email address exist as a username (a reverse problem that
 would cause the same issue)

 I just over coded my side to do checks of username and email address both
 in username_exists() and email_exists() and then make sure all 4 checks
 brought back false before processing.

 I have been using filters already but I did not think of it here.

 Let me know any more info needed.

 Replying to [comment:1 pbiron]:
 > Welcome to trac!!!
 >
 > Nice catch...in all my years building WP sites I never thought to use
 email addresses as usernames :-)
 >
 > In the support topic you reference you say,
 >
 > > I have since added a check in my code to stop this
 >
 > I'm not sure how you implemented that check, but I would suggest you do
 so using the
 [[https://developer.wordpress.org/reference/hooks/username_exists/|username_exists]]
 filter, as follows:
 >
 > {{{#!php
 > <?php
 > add_filter( 'username_exists', 'my_username_exists_filter_func', 10, 2
 );
 > function my_username_exists_filter_func( $user_id, $username ) {
 >       if ( $user_id ) {
 >               return $user_id;
 >       }
 >
 >       return get_user_by( 'email', $username );
 > }
 > }}}
 >
 > This will cause
 [[https://developer.wordpress.org/reference/functions/wp_create_user/|wp_create_user()]]
 to return a `WP_Error` and the new user will not be created.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44347#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list