Problem/Motivation
If the 'Name' provided for a comment matches a registered user account, the comment can't be saved. This applies to posting new comments or admins editing existing comments.
Steps to reproduce
- Install Drupal
- Create an article with comments open
- As an anonymous user, post a comment with an empty value for 'Name'
- As admin, create a user account with username 'Anonymous'
- As admin, edit the previous comment posted by anonymous user and see you get a validation error
- As anonymous user, confirm you can still post comments with empty value for 'Name' and they are created as 'Anonymous'
- As anonymous user, try to post a comment with 'Anonymous' as 'Name' and see you get a validation error
(Note the same occurs with any Name/username, not just Anonymous)
Proposed resolution
Perhaps do this validation for anonymous comments, since 'Name' is just a plain text field? It shows (not verified) for anon users next to the name provided. And comments by the registered user link to the user profile by default. So there is a way to distinguish them:
Remaining tasks
- Agree on a resolution
- Write a patch with tests
- Review
User interface changes
API changes
Data model changes
Release notes snippet
Original issue summary
Hi,
I am trying to get 2.3 to work, but I am stuck on "The name belongs to a registered user.".
I set "access secured pages" permission for securesite also to anonymous users.
How to get this message away and securesite working?
I got a blank field for guest user, and am not able to type something in it, but it has a red border around it.
Thanks for going into this.
Greetings, Martijn
Comment | File | Size | Author |
---|---|---|---|
#35 | Screen Shot 2021-06-27 at 8.01.37 PM.png | 27.53 KB | pameeela |
#35 | Screen Shot 2021-06-27 at 7.54.25 PM.png | 46.69 KB | pameeela |
#35 | Screen Shot 2021-06-27 at 7.48.13 PM.png | 55.6 KB | pameeela |
#27 | edit_guest_comment_after_account_uses_name_test-472202-27.patch | 1.6 KB | pbirk |
Comments
Comment #1
Darren OhThis means that one of your users has created an account with the same name you are using for the guest user. You must change either the user name or the guest name.
Comment #2
Summit CreditAttribution: Summit commentedHi,
You where right! Somehow I got a user with Anonymous user as name in my useradmin. I deleted this user, and now it works.
Thanks for your quick reply!
greetings,
Martijn
Comment #3
podarokthis is real trouble on large loaded sites
cause
if Your site was for anonymous users but during its growing process Your users became registered with the same names - trouble is global
F.E. content manager wants to edit old message - but always got this error. Changing names - is not good - sometimes it can be non-legal (copyright)
If this bug (Yes, this is bug! cause superadmin may edit everything!) woudn`t be fixed try this small fix in comment.module
But remember!!!! - with commenting this code users can change their usernames in comments into Registered usernames (possible)
ps. sorry for my english
Comment #4
podarokmoving this to core comment.module queue
we need to handle such situation in right way
Comment #5
podarokjust checked this in 7.x-dev - all the same
Comment #6
gpk CreditAttribution: gpk commented#3 describes a situation where a comment administrator can end up not being able to edit an existing comment.
Also for people who have registered and try to post a comment when they are not logged in - they may get this message, but it's really no help to them so they give up. I've worked round this using string overrides so that they also get a link to the login page, but a better answer would be for them to be shown a password box on the error screen so that they can log in and post the comment all at once. Otherwise they have to type their comment in again once they've logged in, which is pretty cruel!
Also updating title to be more meaningful.
Comment #7
a6hiji7 CreditAttribution: a6hiji7 commentedThis is really a bug. It's a real pain with common names like "Michael" and "George". Will love to see this check removed from the comment module. I think the "name" field in "comments" table should not have anything to do with the user as the "uid" field is already there to track the user.
Comment #8
roedelius CreditAttribution: roedelius commentedEchoing #7. This is definitely a bug and bad UX. Let's say there's a "steve" username (or "Steve", or "STEVE" - case doesn't matter). If Steve isn't logged in, or another Steve in the world wanted to comment, they're presented with "The name you used belongs to a registered user". Steve's choices are to either type in his full name, intentionally misspell his name, or leave a fake/random name.
As far as I can tell, uid can remain 0 and name can be anything, so what's the point of this validation? And should this be a new ticket?
Comment #9
joachim CreditAttribution: joachim commentedSo here's the quick steps on how to reproduce this:
1. while logged out, add a comment to a node, giving your name as, say, 'Bob'.
2. as uid 1, create a user called 'Bob'
3. as uid 1, try to edit the comment and save it.
> Also for people who have registered and try to post a comment when they are not logged in
I think this is a separate matter -- feature request to have login fields within the comment form perhaps? Though I bet there's a contrib module for that already ;)
So sticking to the main issue, the problem is not what code to write, but how to handle this situation. There's a principle of Drupal of protecting people's identities -- that is why we don't allow duplicate usernames.
Some ideas:
a) When an account is created, check ALL comment names and reject the new account name if an anonymous comment already bears that name. -- this is patently absurb, so let's move on ;)
b) When editing the anonymous comment, run a check on the name field, and warn the admin of the situation. This allows the admin to do something about it before getting the submit warning -- like changing the name field. For bonus points, the form could show the warning AND change the name field to 'Bob (visitor)', or 'Bob (Anonymous)'.
Other than that, I'm not sure... any more ideas?
Comment #10
yngens CreditAttribution: yngens commentedsubscribe
Comment #11
mingos CreditAttribution: mingos commentedI modified the code like this:
So, if the username is already taken, it also considers the email. If the username/email pair exists in the database, the comment is allowed, otherwise the standard "name taken" error is displayed.
Comment #12
ivrh CreditAttribution: ivrh commentedThe issue exists in Drupal's comment core module for websites where only anonymous users post comments.
This should definitely be changed to check email instead, as email is site-wide unique identifier of site visitor, not name. Anonymous users don't need site account just to post a comment or reply and this is totally confusing the way it works at the moment.
Comment #13
ivrh CreditAttribution: ivrh commentedHere's the patch with proposed change (against version 6.x). This patch will work the old way but will skip username check if Anonymous users may post comments.
Let me know if this is good enough and I will post the patch file.
--- Base (BASE)
+++ Locally Modified (Based On LOCAL)
@@ -1201,7 +1201,7 @@
if (!$user->uid || isset($edit['is_anonymous'])) {
$node = node_load($edit['nid']);
if (variable_get('comment_anonymous_'. $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) > COMMENT_ANONYMOUS_MAYNOT_CONTACT) {
- if ($edit['name']) {
+ if ($edit['name'] && !user_access('access comments')) {
$taken = db_result(db_query("SELECT COUNT(uid) FROM {users} WHERE name = '%s'", $edit['name']));
if ($taken != 0) {
Comment #14
joachim CreditAttribution: joachim commentedPlease don't change the version number -- this needs to be fixed on 7 first.
Also, can you upload rather than paste your patch please?
Comment #15
sunA patch for this issue needs to contain a test to reproduce the bug, following the steps in #9. This patch should not contain a fix, just the test to prove that this bug still exists and can be cleanly reproduced.
Comment #16
pillarsdotnet CreditAttribution: pillarsdotnet commentedComment #17
andypostAlso related #1121876: If a user changes their e-mail address, then we need to also update {comment}.mail
Comment #18
andypostAnonymous author still pita
Comment #25
Darren OhComment #26
volkswagenchickComment #27
pbirk CreditAttribution: pbirk commentedI think this patch addresses the test request in #15. On my development machine, the test fails where I'd expect:
I assume the next step is to create a patch that fixes the behavior. I should be able to look into that either this week or next.
Comment #28
pbirk CreditAttribution: pbirk commentedComment #29
DamienMcKennaLet's run the tests to confirm that the bug exists and the tests can trigger it.
Comment #35
pameeela CreditAttribution: pameeela commentedUpdated IS to clarify the issue, but I don't know what the right solution is. I think it's not really necessary to validate the 'Name' provided by anonymous users, and it doesn't make sense to reserve these values as usernames. But I don't deal with sites that use commenting so this definitely needs input from folks who do.
Comment #38
pameeela CreditAttribution: pameeela commentedClosed #903606: Don't allow users to register with name the same as the Anonymous name as a duplicate so adding credit here.
Comment #39
joachim CreditAttribution: joachim as a volunteer commentedThe two issues seem unrelated to me -- this one should be fixed in comment module, and the other one in user module.
Comment #40
pameeela CreditAttribution: pameeela commentedSomewhat puzzled as to how they seem unrelated, since the steps to reproduce here describe the other issue exactly.
I think the only difference is the proposed solution. But I don't think there is a need to disallow users from registering with the anon username, as long as it doesn't interfere with commenting, as this issue proposes.
If you think there is a separate fix needed to the user module please do re-open the other issue, I think it just needs an issue summary update to make it clear.
Comment #41
joachim CreditAttribution: joachim as a volunteer commentedThe other issue, #903606: Don't allow users to register with name the same as the Anonymous name is this:
1. The site is set up to show the label 'Anonymous user' for anonymous users, anywhere where the anonymous user might be involved -- comment author, but also node author, etc etc.
2. Someone create sa user account and enters the username 'Anonymous user' for that account.
3. This is confusing, because things created by a registered user now say 'Anonymous user'.
This issue is this:
1. An anonymous user posts a comment. In the comment form, they can write their name. This is a simple text field. They put 'Kermit the frog'.
2. Someone else later creates a user account, and enters the username 'Kermit the frog'.
3. It not looks like the comments created by the anonymous user were created by the authenticated user 'Kermit the frog', but they are not.
The other issue is fixed with validation in the user module to prevent a username being registered which matches the site config for the anonymous user label.
This issue is fixed with validation in the comment module to prevent a username being registered which matches the name field on any existing comment.
Comment #42
pameeela CreditAttribution: pameeela commentedI guess the other issue is described badly then because it only mentions comments as a problem and specifies that the issue is that anonymous users are blocked from submitting the form if someone has the username that is allocated to anonymous users.
Perhaps the best way forward is a new issue for 'Prevent a username being registered which matches the site config for the anonymous user label'?
Edit: I realised that the other issue title was effectively this, but the issue summary wasn't and it only referred to comments. So maybe the other issue just needs to be reopened with a better summary.
Comment #43
pameeela CreditAttribution: pameeela commentedTested on the node form and it works fine, posted more info at #903606-41: Don't allow users to register with name the same as the Anonymous name.
Comment #44
catchI'm not sure this is a problem, or at if it is that preventing registration with those names is desirable:
- we add (not verified) after anonymous comment usernames, so there's a clear indication that no-one was logged in.
- there's validation to prevent the opposite case, of anonymous comments being posted with a registered username, so you won't get into the situation where the anonymous and logged-in usernames are both on the same active comment threads at the same time.
- What is the message from the comment validation? Would it say someone else has already registered the username? They haven't really, but saying someone left a comment with that anonymous display name seems like a strange validation message to get when registering an account.
- What if I've been posting anonymously as 'catch', then I want to register an account as 'catch' - now I can't do that.
One option would be some kind of advisory message instead of a hard validation error, but we don't really have a great place to do that.
Comment #45
joachim CreditAttribution: joachim as a volunteer commented> - there's validation to prevent the opposite case, of anonymous comments being posted with a registered username, so you won't get into the situation where the anonymous and logged-in usernames are both on the same active comment threads at the same time.
If we prevent it one way, we should prevent it the other. A user could register an account 10 minutes after an anonymous user posts a comment, and then we'd potentially have the same mix of anonymous and logged-in usernames in the same comment thread.
> One option would be some kind of advisory message instead of a hard validation error, but we don't really have a great place to do that.
This is actually something I've previously thought FormAPI should do -- an advisory message that stops form submission once, but then lets you through on the second submit. I may have created an issue for that a long time ago.
Comment #46
andypostThe only possible confusion could happen if "visitor has no access to user profiles" but for that purpose comment module renders "not verified" after anonymous user names (which is stored as plain text and
uid
for this comments are always 0)I'd closed it as works as designed
Comment #47
pameeela CreditAttribution: pameeela commentedI am in agreement with catch and andypost that we don’t need to validate usernames against the list of comment names.
There is a bug here (the error on commenting if the anon username is taken) but it will be addressed in #903606: Don't allow users to register with name the same as the Anonymous name. So I still think it’s a duplicate.
‘Show advisory message if a user registers with a name that matches existing comments’ might be a good follow up task. Converting this issue into that would lead to confusion I think.
Comment #52
pameeela CreditAttribution: pameeela commentedSince there haven't been any updates to this in 3 years, I'm marking it as closed per the most recent discussion. The other issue is now re-opened and some progress has been made.