Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52831

Moodle allows to register with empty name and then deletes the account silently

XMLWordPrintable

    • MySQL
    • MOODLE_30_STABLE
    • MOODLE_29_STABLE, MOODLE_30_STABLE
    • MDL-52831-master-emptynames
    • Moderate
    • Hide
      • Follow the steps to reproduce and make sure you reach the expected behaviour.
      • Please note that the patched version will not normally let you register user with empty name (this is now covered with new Behat tests). You will probably want to set firstname or lastname to something like single space character directly via database.
      Show
      Follow the steps to reproduce and make sure you reach the expected behaviour. Please note that the patched version will not normally let you register user with empty name (this is now covered with new Behat tests). You will probably want to set firstname or lastname to something like single space character directly via database.

      We first experienced this on moodle.org a year ago when a user account was mysteriously deleted after couple of days. We were able to trace it down to the fact that the account had been registered with empty lastname and it was then deleted as incomplete. It was still unclear how such an account could have been created.

      This happened now again with another user and luckily tsala realized that there is a bug in the user registration form, allowing users to register with a space instead of first name and/or last name.

      The problem is that MySQL does not consider trailing whitespace as significant when comparing CHAR and VARCHAR strings with = operator - https://dev.mysql.com/doc/refman/5.7/en/string-comparison-functions.html

      So on MySQL, the SQL condition WHERE lastname = '' OR firstname = '' matches these accounts with space and they are deleted by delete_incomplete_users_task.

      Steps to reproduce

      1. You need MySQL site to reproduce this.
      2. Allow self-registration on the site.
      3. Register as a new user, use space (" ") instead of the first name and the last name.
      4. Confirm the account (either manually or via the email).
      5. Log in as the newly registered user (so that there is "Last access" set).
      6. Set $CFG->deleteincompleteusers = 1/3600; in the config.php file temporarily (this is a hacky trick allowing us not to wait).
      7. Execute the delete_incomplete_users_task $ sudo -u apache php admin/tool/task/cli/schedule_task.php --execute='\core\task\delete_incomplete_users_task'

      Expected results

      • Moodle should not allow to register with empty first name or empty last name
      • To prevent removal of existing accounts, the task should not delete accounts that were already created with whitespace instead of the proper value.

      Actual results

      • Moodle allows to register with empty names.
      • Such accounts are silently deleted if "Delete incomplete users after" (deleteincompleteusers) is defined, even if they are properly used as real user accounts.

            mudrd8mz David Mudrák (@mudrd8mz)
            mudrd8mz David Mudrák (@mudrd8mz)
            Ryan Wyllie Ryan Wyllie
            David Monllaó David Monllaó
            Rajesh Taneja Rajesh Taneja
            Votes:
            3 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.