Users crossing over/connecting to wrong profile in discourse

Recently we’ve had 16 instances of users from wordpress being associated with the wrong user in Discourse.

When accessing the user profile as an admin you can see that the SSO record has the wrong user’s details. Delete the record and the next time the user logs in via wordpress, they get access to the correct user profile in Discourse.

Has anyone seen this before?

1 Like

Hey Jake,

This seems like it’s related to your previous issue, which we didn’t get to the bottom of before

There was probably something in the difference between the email in the SSO details an the email in the log in that one.

The issue itself may be the same one that case seemed to suggest

I suspect the issue is that require_activation is set to true in the SSO payload.

How do you know the details are wrong? I’m not doubting you, just trying to pin down where the issue might be comming from. You can PM me details is you’d prefer not to share publicly.

1 Like

Hey Angus,

Thanks for jumping in again. Seems to be the same.

How do you know the details are wrong?

Because the user email in the user profile:

And the user email in the SSO record:

Were not the same for the crossed over users. The user id and email was for the person who was logging in, but connected to the wrong profile.

1 Like

Sorry for the slow response Jake.

A possible cause here is that, in some cases, a single email is associated with multiple user accounts on your Wordpress instance. Do you think that’s possible?

For example, have you had a custom user registration process in Wordpress at any time (one that didn’t require a user to confirm their email before logging in), or done an import of users into Wordpress at any point?

Is this an ongoing problem, or is it limited to a subset of users? Are these user accounts old, or new?

No worries Angus! I have no expectations of your attention!

The user accounts are created through a purchase being made on woocommerce. Woo used to be on a subsite, but the sites were merged. The two sites shared a user table so the IDs should, at least in theory, have remained constant.

Access to the website was, before my time, controlled via membermouse. Since then - around 5 years ago - the access has been controlled by imember360 and recently replaced with memberium, both essentially identical plugins that integrate with a CRM called infusionsoft and allow access to various pages based on data from the crm.

The way these plugins work require a unique email address so it’s impossible for the same email address to be used in multiple users.

It’s an ongoing problem, but seems to be limited to a very small number of users. It’s happened to two ‘old’ users, and recently happened to a 5 days old account, so isn’t an issue for new users only.

This one is a tricky one. I have some theories about how require_activation might be being set to true in your setup, and subsequently cause this issue, but there’s a few (theories) to choose from.

I’m currently finishing off a new suite of tests for the WP Discourse plugin and I’m adding in logging to the SSO functionality. I’m writing some additional logging that should pick up the cause of this. This work will go into the plugin in the next month so we should have more of an answer soon.