Fixed Username Change Despite No Permissions?

[arn]

I've seen some users come through with a username change request even though we have permissions turned off for that right now.

I rebuilt out user permissions cache, thinking that would fix it. I analyzed the user permissions and it looks like they shouldn't be able to. Anything else to check?

This user just requested it and I checked their permissions.

 

[Mike]

Looking at the code, the "change username" permission is checked as a gate on everything, so I don't really see how this would happen in the core code. Is it possible an add-on is involed?

 

[Lawrence]

From my experience, when ever a member can do something that the analyze permissions says they can not, an add-on is interfering with the permission check.

 

[arn]

Looking at the code, the "change username" permission is checked as a gate on everything, so I don't really see how this would happen in the core code. Is it possible an add-on is involed?

I followed up with the user. And was able to recreate it.

If you change your email address, you are then able to change your username.

Can you test this? I wouldn't think this is addon-related.

Edit: I see, the unregistered/unconfirmed user has Username Change permission on my config. I suppose I can turn that off?

arn

 

[Chris D]

Edit: I see, the unregistered/unconfirmed user has Username Change permission on my config. I suppose I can turn that off?

Yes.

I don't think this issue will be unique to you and it may be something we need to investigate.

On my live site it looks like I have a similar situation. We base the changeUsername permission on the editProfile permission. We have this set to allow for unregistered/unconfirmed intentionally by default (I think) so this is potentially an issue that we need to address.

Though worth noting I'm not currently seeing a way we'd be able to make this retroactive without forcing the assumption that unregistered/unconfirmed should never be able to change usernames.

We may just need to base it on a different permission and that will only apply for new upgrades from to 2.2 rather than changing existing upgrades.

That said, we might also be able to handle it in ocde so that non-valid users can never change username.

 

[420]

We are experiencing this problem as well. Unfortunately, due to the nature of our forums, we do not allow name changes. So this is opening up a rabbit hole with the members thinking they can, then being told they can't, then talking smack about us in the forums. Please work to get a fix for this guys, we really appreciate it.

 

[Chris D]

Just remove the permission from the "Unregistered" user group.

 

[Paul B]

Just set the permission for the Registered and Unregistered user groups to no.

 

[420]

Works like a charm, thank you gentlemen.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.2).

Change log:

Do not grant the change username permission to the unconfirmed user group when upgrading to 2.2 (from 2.1 or earlier). For existing upgrades, remove the permission from this group explicitly. If you wish to allow unconfirmed users to change their usernames, the permission will need to be explicitly re-added after upgrading to 2.2.2.

There may be a delay before changes are rolled out to the XenForo Community.