[wp-trac] [WordPress Trac] #44347: WP allows creating username that is already used email address

WordPress Trac noreply at wordpress.org
Mon Jun 11 20:12:20 UTC 2018 

#44347: WP allows creating username that is already used email address
---------------------------+------------------------------
 Reporter:  phillipburger  |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Users          |     Version:
 Severity:  normal         |  Resolution:
 Keywords:                 |     Focuses:
---------------------------+------------------------------

Comment (by phillipburger):

 As much input as possible is great, I think this seems to make sense when
 a new username comes in to make sure it is not already existing email
 address, but the other way too - what if a new email address is entered
 and it is already a username - that needs to be verified as well.

 And as this is fixed, what should be a solution if these situations
 already exist in a deployment? Do they need to be flagged for updates
 somehow?

 Replying to [comment:4 subrataemfluence]:
 > Good find!!
 > Adding additional guard for checking the existence of username supplied
 in email field in core functionality should resolve the issue.
 >
 > Possible solution:
 >
 >
 > {{{
 > File name: includes/user.php.
 > Function: edit_user
 > }}}
 >
 > Addition:
 >
 > {{{#!php
 > <?php
 > if ( ! $update && email_exists( $user->user_login ) ) {
 >    $errors->add( 'user_login', __( '<strong>ERROR</strong>: This
 username is invalid because it is already in use as email address of
 another account.' ) );
 > }
 > }}}
 >
 >
 >
 > {{{
 > File: wp-includes/user.php
 > Function: register_new_user
 > }}}
 >
 > Addition:
 >
 > {{{#!php
 > <?php
 > if ( $user_email == '' ) {
 >    ...
 > } elseif ( ! is_email( $user_email ) ) {
 >    ...
 > } elseif ( email_exists( $user_email ) ) {
 >    ...
 > } elseif ( email_exists( $sanitized_user_login ) ) {
 >    $errors->add( 'email_exists', __( '<strong>ERROR</strong>: This
 username is invalid because it is already in use as email address of
 another account.' ) );
 > }
 > }}}
 >
 > I think adding the check into the core itself will prevent additional
 filter and functions.
 >
 > Please let me know if this makes some sense.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44347#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list