Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-14721

New registrants choosing old deleted usernames get linked to old accounts with namechange

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.9, 3.2.0-RC1
    • Fix Version/s: 3.1.10-RC1
    • Component/s: ACP
    • Labels:
      None

      Description

      Imagine a situation in which a specific user (I will call him User A) wants to get his account deleted. The administrator decides to delete the account but retain all posts so the discussions won't look weird. So all of this users posts now have the Anonymous account's user ID (which is 1) but have the username of the old users (User A).

      Now, a new user user registered under the name "User A" to the board, which is possible because the old account was deleted. The board admin thinks this would be confusing to other members and asks him to pick a different username. The board admin ultimately decides to change his username to "User B". So far, so good. But now the bug comes in place. The username of the posts of the real old User A (now using the anonymous account) are also changed to "User B", which is even more confusing to current members.

      Now, I located the problem, which is in the functions user_update_name(); in includes/functions_user.php

          function user_update_name($old_name, $new_name)
          {
              global $config, $db, $cache, $phpbb_dispatcher;
       
              $update_ary = array(
                  FORUMS_TABLE            => array('forum_last_poster_name'),
                  MODERATOR_CACHE_TABLE    => array('username'),
                  POSTS_TABLE                => array('post_username'),
                  TOPICS_TABLE            => array('topic_first_poster_name', 'topic_last_poster_name'),
              );
       
              foreach ($update_ary as $table => $field_ary)
              {
                  foreach ($field_ary as $field)
                  {
                      $sql = "UPDATE $table
                          SET $field = '" . $db->sql_escape($new_name) . "'
                          WHERE $field = '" . $db->sql_escape($old_name) . "'";
                      $db->sql_query($sql);
                  }
              }
      

      This piece of code updates all instances of a certain username to another username, meaning it will also change the username of the deleted account, which was not intended to be done.

      I think the solution would be to build in a check against the Anonymous account (WHERE user_id != '1') or something like that to make sure that deleted account's usernames aren't changed. But myself I'm not capable enough to code something like that, could anybody please take a look?

        Attachments

          Activity

            People

            • Assignee:
              Elsensee Elsensee
              Reporter:
              JimA JimA
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: