using same username overwrites an existing user

51 Posts

xxxmicrobexxx Reply #1, 11 years, 4 months ago

Hey all,

I am new to login so maybe I am missing something.

I have it working, I create a test user, I can even get the email to be the username.

However if I then use the same email address (i.e. the same username) in the database the original user with that username is deleted and a new one is created.

Unless I am missing some sort of "does user exist" check, this is a major security issue. Someone can take over an account just by re-registering with a previously used username...whether deliberately or not.

Please straighten me out here by either confirming this or pointing me to a way to verify an existing user.

Thanks in advance

24,544 Posts

BobRay Reply #2, 11 years, 4 months ago

Are you using the Register snippet (part of the Login package) to register the user?

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

51 Posts

xxxmicrobexxx Reply #3, 11 years, 4 months ago

Yes I am, here's the call

[[!Register? 
&usernameField=`email` 
&submitVar=`registerbtn` 
&activationResourceId=`38` 
&activationEmailTpl=`myActivationEmailTpl` 
&activationEmailSubject=`Thanks for Registering!` 
&submittedResourceId=`27` 
&usergroups=`Member` 
&validate=`nospam:blank, password:required:minLength=^6^, password_confirm:password_confirm=^password^, fullname:required, email:required:email` &placeholderPrefix=`reg.` ]]

I get the email with the activation link OK.

Have a look at the attached image. Above the line is the db. Below the line after I did a new registration with the same email address. Effectively it deletes one record and adds another.

In case you are wondering, I found it happened even without hooking the email across to be the username. In that case if I used an existing username it happened.

51 Posts

xxxmicrobexxx Reply #4, 11 years, 4 months ago

Well go figure this. Now it is working fine and gives "existing user" error. I haven't changed anything, just been working on other aspects of the login.

THanks anyway Bob. Your help is always appreciated and your site is a great resource.

24,544 Posts

BobRay Reply #5, 11 years, 4 months ago

Maybe it happens if you create the two users in the same session or before the cache is cleared?

If you can make it happen reliably, please report it as a bug.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
10 Posts

Tim Butterworth, MODX Ambassador Reply #6, 11 years ago

For info, by default, the Register snippet code differentiates users that are active from not active.

If the existing username is in the database but is NOT active, then the subsequent registration will replace the existing one. However, once a registration becomes active (by the user confirming the registration via the email link), then a duplicate will be blocked. So, I suspect that when you were first trying this, the users that were being 'updated' were in fact inactive.

You can change this setting as an additional parameter to the Register snippet call. Mine for instance is:

[[!Register?
    &validate=`username:required, fullname:required, email:required:email, password:password_confirm=^password_confirm^,
               username:checkExists`
    &placeholderPrefix=`reg.`
    &usernameField=`username`
    &submittedResourceId=`11`
    &activationResourceId=`12`  
    &activationEmailTpl=`lgnActivationEmailTpl` 
    &activationEmailSubject=`Thanks for Registering!` 
    &usergroups=`WebUsers` 
    &removeExpiredRegistrations=`0`
]]

You will see the additional final 'removeExpiredRegistrations' - set this to `0` and you may get the results you may have been expecting.

Tim Butterworth, MBA
MODX Ambassador
http://www.eecsoftware.com