Self Register Bug

[Wizard]

I think I discovered a bug in the adduser plugin. As you know existing users in the system have two names. The login name and the real name. The adduser plugin only asks for a login name to be created, along with password and email. If a new user creates an account giving the login name as one of the existing user real name, the account is created, however he also has rights to the existing users articles as though he is the author. Perhaps I did something wrong?

[garvinhicking]

Did you maybe create that user with the same password? Only then the behaviour you tell could happen.

The login check is done based on login name and password, and then the first ID is returned. So if you have X users with identical login+name and password, all people get logged in as the first user.

Usually nobody else than you should have access to the same password for one login name, so this shouldn't be a real-life problem...?

Regards,
Garvin

[Wizard]

As a matter of fact I did. So you can create two separate users with the same password? And if you do, then they are treated as the first user? They do have different login names, but the user real name is the same. So two accounts are created, but they are the same. Sounds like a bug to me.

[garvinhicking]

You can have as many different user names with the same password as you like; serendipity does the login like this:

Code: Select all

SELECT * from serendipity_authors where username = 'X' and password = 'Y'

Can you please send an SQL dump of your serendipity_authors table? Replace the MD5 password hashes with others strings - only make sure that if you have two MD5s that are the same, that you mark those in the SQL dump as equal so I can see it.

Regards,
Garvin