Not a bug Merging member Accounts does not merge External Integration Accounts

[Mouth]

XF 1.5.14

I have two members account, ABC and XYZ.
XYZ has an External Integration Account linked (eg. Facebook). ABC does not have any.
From /admin.php?users/XYZ.12345/edit I use the 'Merge with User' function from the drop-down Actions menu, and enter/select ABC

When merge is completed, ABC still does not have any External Integration Accounts and XYZ's (now ABC) linking to Facebook has been lost.

ABC (ex XYZ) can now no longer login, as s/he was using their Facebook integration to do so. One of 3 options now occurs;

• They go through a password reset cycle (making the email address an issue, if it's unknown or un-monitored)
• We lose that member because it's too hard and they don't bother
• They create yet another duplicate account, using their Facebook integration to sign-up

Account merge's should merge all details and information from XYZ, where ABC does not already have values for those details.

 

[Mike]

Generally, I disagree with what you're suggesting here and it would be somewhat inconsistent with other areas. We don't bring in any of the profile components (location, email, password, custom fields, two-step verification, etc) from the source user. In instances like this, the lack of a value is still a valid value. Indeed, in this situation, there's at least a passing chance of a security issue if you bring what is effectively a password in from another user.

ABC (ex XYZ) can now no longer login, as s/he was using their Facebook integration to do so.

If ABC doesn't have any external assocations, they would have a password that would be known to the person registering. Given the merge, presumably that is the same person as XYZ.

 

[Mouth]

there's at least a passing chance of a security issue if you bring what is effectively a password in from another user.

It's the same physical/IRL person, that's why you're merging the accounts.

If ABC doesn't have any external assocations, they would have a password that would be known to the person registering. Given the merge, presumably that is the same person as XYZ.

Not if Fred, whom was ABC but cannot access that account due to email address and/or password forget after a hiatus, and found it easier to create XYZ instead. You're merging IRL Fred's duplicate accounts into one anyway (and you pick ABC because it existed first).