[wp-trac] [WordPress Trac] #44683: Export and Erase personal data - emails sent to wrong address if username is an email address which is different from the actual email address

WordPress Trac noreply at wordpress.org
Fri Jan 15 12:13:01 UTC 2021 

#44683: Export and Erase personal data - emails sent to wrong address if username
is an email address which is different from the actual email address
------------------------------+------------------------
 Reporter:  subrataemfluence  |       Owner:  xkon
     Type:  enhancement       |      Status:  reviewing
 Priority:  normal            |   Milestone:  5.7
Component:  Privacy           |     Version:  4.9.6
 Severity:  normal            |  Resolution:
 Keywords:                    |     Focuses:
------------------------------+------------------------
Changes (by xkon):

 * owner:  garrett-eclipse => xkon
 * milestone:  Awaiting Review => 5.7


Comment:

 I do agree that the usernames should be cross-checked for existing emails
 as well during registration so this isn't something that the Privacy
 component is supposed to handle practically.

 From my tests also accidental leaking of information didn't occur as well.

 To make it easier to replicate & explain for others reading we have 2
 users:

 {{{
 Name: Test, Username: test_user, Email: test at user.com
 Name: Fake, Username: test at user.com, Email: fake at user.com
 }}}

 When you create an Export request for `test at user.com` this is actually
 used as an email directly so all e-mails will go to `test at user.com`.

 So the issue here is that the Test user might not have actually requested
 the export (it might've been the Fake user instead) so they will randomly
 receive an export confirmation, which won't be nice obviously.

 I don't mind us altering the code a bit to always go for actual e-mails
 but we have to take under account that the admin form asks for "Username
 or email address" and that's why it's working like this.  So by simply
 adding extra checks it might end up being even more confusing towards
 admins of what was actually used.

 If we want to check for actual usernames vs actual email addresses I would
 prefer to either:

 1. Split the form in the UI also to request specifically either username
 -or- email (via different fields).
 2. Request only e-mails that will be checked directly to $user->user_email
 (usernames won't be used anywhere) since everything is communicated via
 E-mails this might make more sense.

 I'd like more input on this from others though before continuing with any
 decision.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44683#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list