-
Bug
-
Resolution: Fixed
-
Major
-
3.0.2
-
MySQL
-
MOODLE_30_STABLE
-
MOODLE_29_STABLE, MOODLE_30_STABLE
-
MDL-52831-master-emptynames -
Moderate
-
We first experienced this on moodle.org a year ago when a user account was mysteriously deleted after couple of days. We were able to trace it down to the fact that the account had been registered with empty lastname and it was then deleted as incomplete. It was still unclear how such an account could have been created.
This happened now again with another user and luckily tsala realized that there is a bug in the user registration form, allowing users to register with a space instead of first name and/or last name.
The problem is that MySQL does not consider trailing whitespace as significant when comparing CHAR and VARCHAR strings with = operator - https://dev.mysql.com/doc/refman/5.7/en/string-comparison-functions.html
So on MySQL, the SQL condition WHERE lastname = '' OR firstname = '' matches these accounts with space and they are deleted by delete_incomplete_users_task.
Steps to reproduce
- You need MySQL site to reproduce this.
- Allow self-registration on the site.
- Register as a new user, use space (" ") instead of the first name and the last name.
- Confirm the account (either manually or via the email).
- Log in as the newly registered user (so that there is "Last access" set).
- Set $CFG->deleteincompleteusers = 1/3600; in the config.php file temporarily (this is a hacky trick allowing us not to wait).
- Execute the delete_incomplete_users_task $ sudo -u apache php admin/tool/task/cli/schedule_task.php --execute='\core\task\delete_incomplete_users_task'
Expected results
- Moodle should not allow to register with empty first name or empty last name
- To prevent removal of existing accounts, the task should not delete accounts that were already created with whitespace instead of the proper value.
Actual results
- Moodle allows to register with empty names.
- Such accounts are silently deleted if "Delete incomplete users after" (deleteincompleteusers) is defined, even if they are properly used as real user accounts.