Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
3.9.11, 3.10.8, 3.11.4, 4.0
-
None
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
Description
Hi team,
My issue is a bit similar to MDL-61124, but I decided to create a new tracker as it seems to me that this one would be fixed in a different way.
The site where the issue was found had $CFG->allowaccountssameemail set to true, but some later requirements had changed and the settings was set to false. Duplicated accounts were merged and some of them were suspended. So eventually there is only one active user with a given email address, but there might be one more user with same email and suspended set to 1.
When one of these users tries to login for the first time (this might be a real first login attempt or they just logging in using another OAuth 2 service, but the same email), Oauth2 might link them to the wrong user record. This is because \core_user::get_user_by_email returns just the first record, so it may be suspended user: https://github.com/moodle/moodle/blob/508fe3937edc3b0de058a1d4f001bc93600dd01d/auth/oauth2/classes/auth.php#L513
Apparently, user login fails as their linked moodle user is suspended.
Attachments
Issue Links
- has been marked as being related by
-
-
- Open
-