Registering with duplicate email address [or not] - some questions - Login / Register

dejaya · August 6, 2021, 7:43pm

Hi all,

I’m modifying the default Register process to allow administrators to activate users, rather than the users activating via email activation link.

This is all going well, @bobray ActivationEmail plugin has helped and most other tweaks are achieved via postHooks on the Register call.

The client has requested that a specific message is shown if User B tries to sign up with an email address that is already in use by User A.

This works fine when User A’s account is activated - the Register form submit fails and the register.email_taken message is shown in the form.

But if User A’s account is not yet activated, the Register form completes, sends User B an email and, rather unexpectedly, updates User A’s unactivated account with User B’s details.

This seems to assume that User A and User B are the same person and I can just about see the logic in it.

Anyway, what I’d like is to see the Register form submission fail with the register.email_taken message regardless of the activation status of User A’s account.

Am I missing a setting somewhere? Or would this be a case of editing the Register extra? If so - any ideas where?

As always - thanks for any help offered.

Chris

bobray · August 6, 2021, 8:25pm

As far as I can tell, that error message only occurs in one place. It follows this test:

$emailTaken = $this->modx->getObject('modUserProfile',array('email' => $email));

I expected to see a qualifier here with 'active' => true. But it’s not there. So User B should fail here regardless of User A’s active status and should receive the error without being registered.

The only other consideration here is the allow_multiple_emails System Setting. If it’s set to yes, the test is never performed, but in that case, no one would ever get the error message, so I don’t see how what you’re describing could happen, unless un-activated users don’t have an email address or don’t have a user profile.

halftrainedharry · August 6, 2021, 10:05pm

Do you use the email address for the username as well?
Is User A completely deleted from the database when you register User B with the same email address?

There is the possibility, that with the property removeExpiredRegistrations set to yes (default), an existing inactive user with the same username gets deleted.

dejaya · August 7, 2021, 10:01am

That’s the behaviour I was expecting / hoping for. I’m going to test with a clean install later today just to try to clarify what the default by-design behaviour is.

This is set to “No” and the error message correctly appears when User A’s profile is Active.

Yes. This does seems to work fine as long as User A’s profile is Activated.

No. In this scenario - User A’s profile exists and has the same email address that User B is trying to register with - I specifically want to force the error message for User B regardless of the whether User A’s profile is Activated or not. In testing, I’m signing up User B just minutes after User A so I don’t think expiration is the issue. User A’s profile is still on the system.

Thanks both so much for your thoughts. I’m going to do some more testing later today and I’ll report back.

halftrainedharry · August 7, 2021, 10:47am

This still doesn’t make much sense.

If the email address is used as the username, then the form should also show the register.username_taken message, because the username has to be unique.

The code doesn’t check how much time has passed since the user was created. So it doesn’t matter if just minutes passed or weeks.

dejaya · August 7, 2021, 12:26pm

Apologies @halftrainedharry - I should have been clearer. The register.username_taken message does also fire - but I’ve blanked that out in the lexicon entry so that only the register.email_taken message shows. Just to avoid the double message.

Again though - it only fires if User A’s account is activated.

If it’s not activated, User A’s profile details are updated with User B’s form entries.

halftrainedharry · August 7, 2021, 12:49pm

Are you sure the profile details are updated? According to the code, User A should get deleted and a new user should be created.

Maybe you can check the column id of the database tables modx_users and modx_user_attributes to see if the id changes.

github.com

modxcms/Login/blob/376eb7c5eace2006e18acf0546982e2b9c343630/core/components/login/controllers/web/Register.php#L233


      
              /* make sure username isnt taken */
              /** @var modUser $alreadyExists */
              $alreadyExists = $this->modx->getObject('modUser',array('username' => $username));
              if ($alreadyExists) {
                  $cachePwd = $alreadyExists->get('cachepwd');
                  if ($this->getProperty('removeExpiredRegistrations',true,'isset') && $alreadyExists->get('active') == 0 && !empty($cachePwd)) {
                      /* if inactive and has a cachepwd, probably an expired
                       * activation account, so let's remove it
                       * and let user re-register
                       */
                      if (!$alreadyExists->remove()) {
                          $this->modx->log(modX::LOG_LEVEL_ERROR,'[Login] Could not remove old, deactive user with cachepwd.');
                          $success = false;
                      }
                  } else {
                      $this->validator->addError($usernameField,$this->modx->lexicon('register.username_taken'));
                      $success = false;
                  }
              }
          }
          return $success;

dejaya · August 7, 2021, 1:05pm

That’s a really good point @halftrainedharry - that’s exactly what it happening.

My mission here remains to stop it happening though, so I guess I’m going to edit the Register.php file to switch out the

$alreadyExists->remove()

section with code to fire the register.email_taken message and return false.

Any advice on how best to avoid such changes being overwritten by Login updates?

Thanks again.

halftrainedharry · August 7, 2021, 1:11pm

Can’t you just set the property removeExpiredRegistrations to false?
Then User A doesn’t get deleted and therefore the function validateEmail() still returns the register.email_taken error.

dejaya · August 7, 2021, 1:20pm

BINGO!

That single property provides the logic I was looking for

I realise now you mentioned this further up the thread but I think I misunderstood at the time.

Thank you @halftrainedharry !!

system · August 9, 2021, 1:21pm

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.