'Name' value for anonymous comments can conflict with registered usernames

This means that one of your users has created an account with the same name you are using for the guest user. You must change either the user name or the guest name.

this is real trouble on large loaded sites

cause

if Your site was for anonymous users but during its growing process Your users became registered with the same names - trouble is global
F.E. content manager wants to edit old message - but always got this error. Changing names - is not good - sometimes it can be non-legal (copyright)

If this bug (Yes, this is bug! cause superadmin may edit everything!) woudn`t be fixed try this small fix in comment.module

        $taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']));

/*
	   if ($taken != 0) {
          form_set_error('name', t('The name you used belongs to a registered user.'));
        }
*/
      }

But remember!!!! - with commenting this code users can change their usernames in comments into Registered usernames (possible)

ps. sorry for my english

moving this to core comment.module queue

we need to handle such situation in right way

just checked this in 7.x-dev - all the same

#3 describes a situation where a comment administrator can end up not being able to edit an existing comment.

Also for people who have registered and try to post a comment when they are not logged in - they may get this message, but it's really no help to them so they give up. I've worked round this using string overrides so that they also get a link to the login page, but a better answer would be for them to be shown a password box on the error screen so that they can log in and post the comment all at once. Otherwise they have to type their comment in again once they've logged in, which is pretty cruel!

Also updating title to be more meaningful.

This is really a bug. It's a real pain with common names like "Michael" and "George". Will love to see this check removed from the comment module. I think the "name" field in "comments" table should not have anything to do with the user as the "uid" field is already there to track the user.

Echoing #7. This is definitely a bug and bad UX. Let's say there's a "steve" username (or "Steve", or "STEVE" - case doesn't matter). If Steve isn't logged in, or another Steve in the world wanted to comment, they're presented with "The name you used belongs to a registered user". Steve's choices are to either type in his full name, intentionally misspell his name, or leave a fake/random name.

As far as I can tell, uid can remain 0 and name can be anything, so what's the point of this validation? And should this be a new ticket?

So here's the quick steps on how to reproduce this:

1. while logged out, add a comment to a node, giving your name as, say, 'Bob'.
2. as uid 1, create a user called 'Bob'
3. as uid 1, try to edit the comment and save it.

> Also for people who have registered and try to post a comment when they are not logged in

I think this is a separate matter -- feature request to have login fields within the comment form perhaps? Though I bet there's a contrib module for that already ;)

So sticking to the main issue, the problem is not what code to write, but how to handle this situation. There's a principle of Drupal of protecting people's identities -- that is why we don't allow duplicate usernames.

Some ideas:

a) When an account is created, check ALL comment names and reject the new account name if an anonymous comment already bears that name. -- this is patently absurb, so let's move on ;)
b) When editing the anonymous comment, run a check on the name field, and warn the admin of the situation. This allows the admin to do something about it before getting the submit warning -- like changing the name field. For bonus points, the form could show the warning AND change the name field to 'Bob (visitor)', or 'Bob (Anonymous)'.

Other than that, I'm not sure... any more ideas?

subscribe

I modified the code like this:

$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE LOWER(name) = '%s'", $edit['name']));
if ($taken != 0) {
    $email = db_result(db_query("SELECT mail FROM {users} WHERE LOWER(name) = '%s'", $edit['name']));
    if ($email != $edit['mail']) form_set_error('name', t('The name you used belongs to a registered user.'));
}

So, if the username is already taken, it also considers the email. If the username/email pair exists in the database, the comment is allowed, otherwise the standard "name taken" error is displayed.

The issue exists in Drupal's comment core module for websites where only anonymous users post comments.
This should definitely be changed to check email instead, as email is site-wide unique identifier of site visitor, not name. Anonymous users don't need site account just to post a comment or reply and this is totally confusing the way it works at the moment.

Here's the patch with proposed change (against version 6.x). This patch will work the old way but will skip username check if Anonymous users may post comments.
Let me know if this is good enough and I will post the patch file.

--- Base (BASE)
+++ Locally Modified (Based On LOCAL)
@@ -1201,7 +1201,7 @@
if (!$user->uid || isset($edit['is_anonymous'])) {
$node = node_load($edit['nid']);
if (variable_get('comment_anonymous_'. $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) > COMMENT_ANONYMOUS_MAYNOT_CONTACT) {
- if ($edit['name']) {
+ if ($edit['name'] && !user_access('access comments')) {
$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE name = '%s'", $edit['name']));

if ($taken != 0) {

Please don't change the version number -- this needs to be fixed on 7 first.

Also, can you upload rather than paste your patch please?

A patch for this issue needs to contain a test to reproduce the bug, following the steps in #9. This patch should not contain a fix, just the test to prove that this bug still exists and can be cleanly reproduced.

Also related #1121876: If a user changes their e-mail address, then we need to also update {comment}.mail

Anonymous author still pita

I think this patch addresses the test request in #15. On my development machine, the test fails where I'd expect:

Testing Drupal\Tests\comment\Functional\CommentInterfaceTest
F...                                                                4 / 4 (100%)

Time: 5.27 minutes, Memory: 6.00MB

There was 1 failure:

1) Drupal\Tests\comment\Functional\CommentInterfaceTest::testCommentInterface
"vWMdUNQz" found
Failed asserting that false is true.

/var/www/drupal-dev-8/core/tests/Drupal/KernelTests/AssertLegacyTrait.php:35
/var/www/drupal-dev-8/core/tests/Drupal/FunctionalTests/AssertLegacyTrait.php:145
/var/www/drupal-dev-8/core/tests/Drupal/FunctionalTests/AssertLegacyTrait.php:84
/var/www/drupal-dev-8/core/modules/comment/tests/src/Functional/CommentTestBase.php:166
/var/www/drupal-dev-8/core/modules/comment/tests/src/Functional/CommentInterfaceTest.php:124

I assume the next step is to create a patch that fixes the behavior. I should be able to look into that either this week or next.

Let's run the tests to confirm that the bug exists and the tests can trigger it.

Updated IS to clarify the issue, but I don't know what the right solution is. I think it's not really necessary to validate the 'Name' provided by anonymous users, and it doesn't make sense to reserve these values as usernames. But I don't deal with sites that use commenting so this definitely needs input from folks who do.

Closed #903606: Don't allow users to register with name the same as the Anonymous name as a duplicate so adding credit here.

The two issues seem unrelated to me -- this one should be fixed in comment module, and the other one in user module.

Somewhat puzzled as to how they seem unrelated, since the steps to reproduce here describe the other issue exactly.

I think the only difference is the proposed solution. But I don't think there is a need to disallow users from registering with the anon username, as long as it doesn't interfere with commenting, as this issue proposes.

If you think there is a separate fix needed to the user module please do re-open the other issue, I think it just needs an issue summary update to make it clear.

The other issue, #903606: Don't allow users to register with name the same as the Anonymous name is this:

1. The site is set up to show the label 'Anonymous user' for anonymous users, anywhere where the anonymous user might be involved -- comment author, but also node author, etc etc.
2. Someone create sa user account and enters the username 'Anonymous user' for that account.
3. This is confusing, because things created by a registered user now say 'Anonymous user'.

This issue is this:

1. An anonymous user posts a comment. In the comment form, they can write their name. This is a simple text field. They put 'Kermit the frog'.
2. Someone else later creates a user account, and enters the username 'Kermit the frog'.
3. It not looks like the comments created by the anonymous user were created by the authenticated user 'Kermit the frog', but they are not.

The other issue is fixed with validation in the user module to prevent a username being registered which matches the site config for the anonymous user label.

This issue is fixed with validation in the comment module to prevent a username being registered which matches the name field on any existing comment.

I guess the other issue is described badly then because it only mentions comments as a problem and specifies that the issue is that anonymous users are blocked from submitting the form if someone has the username that is allocated to anonymous users.

Perhaps the best way forward is a new issue for 'Prevent a username being registered which matches the site config for the anonymous user label'?

Edit: I realised that the other issue title was effectively this, but the issue summary wasn't and it only referred to comments. So maybe the other issue just needs to be reopened with a better summary.

Tested on the node form and it works fine, posted more info at #903606-41: Don't allow users to register with name the same as the Anonymous name.

3. It not looks like the comments created by the anonymous user were created by the authenticated user 'Kermit the frog', but they are not.

The other issue is fixed with validation in the user module to prevent a username being registered which matches the site config for the anonymous user label.

This issue is fixed with validation in the comment module to prevent a username being registered which matches the name field on any existing comment.

I'm not sure this is a problem, or at if it is that preventing registration with those names is desirable:

- we add (not verified) after anonymous comment usernames, so there's a clear indication that no-one was logged in.

- there's validation to prevent the opposite case, of anonymous comments being posted with a registered username, so you won't get into the situation where the anonymous and logged-in usernames are both on the same active comment threads at the same time.

- What is the message from the comment validation? Would it say someone else has already registered the username? They haven't really, but saying someone left a comment with that anonymous display name seems like a strange validation message to get when registering an account.

- What if I've been posting anonymously as 'catch', then I want to register an account as 'catch' - now I can't do that.

One option would be some kind of advisory message instead of a hard validation error, but we don't really have a great place to do that.

> - there's validation to prevent the opposite case, of anonymous comments being posted with a registered username, so you won't get into the situation where the anonymous and logged-in usernames are both on the same active comment threads at the same time.

If we prevent it one way, we should prevent it the other. A user could register an account 10 minutes after an anonymous user posts a comment, and then we'd potentially have the same mix of anonymous and logged-in usernames in the same comment thread.

> One option would be some kind of advisory message instead of a hard validation error, but we don't really have a great place to do that.

This is actually something I've previously thought FormAPI should do -- an advisory message that stops form submission once, but then lets you through on the second submit. I may have created an issue for that a long time ago.

The only possible confusion could happen if "visitor has no access to user profiles" but for that purpose comment module renders "not verified" after anonymous user names (which is stored as plain text and uid for this comments are always 0)

I'd closed it as works as designed

I am in agreement with catch and andypost that we don’t need to validate usernames against the list of comment names.

There is a bug here (the error on commenting if the anon username is taken) but it will be addressed in #903606: Don't allow users to register with name the same as the Anonymous name. So I still think it’s a duplicate.

‘Show advisory message if a user registers with a name that matches existing comments’ might be a good follow up task. Converting this issue into that would lead to confusion I think.

Since there haven't been any updates to this in 3 years, I'm marking it as closed per the most recent discussion. The other issue is now re-opened and some progress has been made.