-
Bug
-
Resolution: Fixed
-
Critical
-
2.6.3, 2.7, 2.8.7, 2.9.1
-
MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE
-
MOODLE_28_STABLE, MOODLE_29_STABLE
-
MDL-46232-master -
-
Team '; drop tables Sprint 9
If you try to delete two user accounts which don't have an email address at the same time, you see the following error message "Only lowercase letters allowed".
To replicate, run this code (note you'll only see the error if the two deletions occur in the same second):
$user1 = create_user_record("user1", "password1");
|
$user2 = create_user_record("user2", "password2");
|
delete_user($user1);
|
delete_user($user2);
|
This seems to be caused by the way that Moodle fabricates a fake username for deleted users in the delete_user() function. It tries the email address + a dot + the current timestamp. If this is already is use, it tries to increment this string to produce another unused username.
However, where the email address is empty, incrementing this seems to convert to a number (so for example ".1234567890" increments to the number 1.1234567890 instead of the expected string ".1234567891"). When this is passed to user_update_user(), which checks it against the lower case version of itself, the comparison fails as it's using the "identically equals" operator.
I realise Moodle accounts shouldn't have empty email addresses (and can't be used until an email address is entered), but there's nothing to stop accounts being automatically created without an email address. We often see this in the Shibboleth plugin for example.