Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73396

Oauth2 links suspended user when there is a few users with same email

    XMLWordPrintable

Details

    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE

    Description

      Hi team,

      My issue is a bit similar to MDL-61124, but I decided to create a new tracker as it seems to me that this one would be fixed in a different way.

      The site where the issue was found had $CFG->allowaccountssameemail set to true, but some later requirements had changed and the settings was set to false. Duplicated accounts were merged and some of them were suspended. So eventually there is only one active user with a given email address, but there might be one more user with same email and suspended set to 1.

      When one of these users tries to login for the first time (this might be a real first login attempt or they just logging in using another OAuth 2 service, but the same email), Oauth2 might link them to the wrong user record. This is because \core_user::get_user_by_email returns just the first record, so it may be suspended user: https://github.com/moodle/moodle/blob/508fe3937edc3b0de058a1d4f001bc93600dd01d/auth/oauth2/classes/auth.php#L513

      Apparently, user login fails as their linked moodle user is suspended.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              mikhailgolenkov Misha Golenkov
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: