User can Sign in to MP-stage with an account that was already deleted in Lookup Tool



Admin Tools
4 years ago
3 years ago


(Reporter: Victor Carciu, Unassigned)


Windows 7


(Whiteboard: [marketplace-transition])



4 years ago
Build identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Steps to reproduce:
1. Sign in to MP-stage with an admin account(
2. Click “Lookup Tool” link option from the bottom of the page 
3. Search for an account
4. Click “Delete User” button
5. Use the deleted account to sign in MP-stage

Expected results:
User cannot sign in

Actual results:
User is signed in and can execute operations in MP – stage homepage

Please see screencast for this bug :
is the user the same as before - i.e. its the deleted one?  Or is a new user created (as expected) when the user logs in anew.

What does lookup show for that email address after logging in?

Comment 2

4 years ago
Yes, it is the deleted one .
Lookup is showing that the account is deleted.

Comment 3

4 years ago
Login should check the soft deletion of a user, if its happened, raise a warning and prevent the login.
Severity: normal → enhancement
Priority: -- → P4
(In reply to Andy McKay [:andym] from comment #3)
> Login should check the soft deletion of a user, if its happened, raise a
> warning and prevent the login.

severity: enhancement? You shouldn't be able to use a deleted account - who knows what other issues it would cause when it comes to emails, installs, purchases.
Target Milestone: 2014-10-28 → ---
User deletion when the credentials live with Persona or FxA seems odd to me.

If we hard-deleted an account that would mean we also would need to delete things associated with that user (reviews, apps, etc). But if the user still has their FxA or Persona account they could simply log in again and start over.

We soft-delete users however. How should soft-deleted users be treated differently? Should we even have the ability to delete users? When do we do it and what's the purpose? Perhaps we want something more like a blacklist where a user known by a certain email can no longer log in?
there are two use cases here:
1) Mozilla deleting a user account.  In this case its normally because they're spamming - but their reviews aren't currently deleted (bug 889906).  A blacklist would be useful, though spammers normally switch email addresses regularly so it may not be of much use.  Bug 889906 would be more useful than a blacklist imo.

2) The user deleting their own account.  It seems right that a user, if they choose, should be able to delete their account.  Whether we soft delete, anonymise, and keep some details for audit purposes is up to us, but effectively saying you can't ever close an account once created seems wrong to me.  After deleting if the same email address logs in again we should create a new account.
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
Whiteboard: [marketplace-transition]
You need to log in before you can comment on or make changes to this bug.