Paypal "Unsubscribe" Button Action - Users without signup vars

I’m a bit lost on what happens when a user cancels using the Unsubscribe button - that does not have IPN_Signup_Vars

I tested by deleting the Paid Subscr. ID from a user and entering that data into another user that I used for clicking on the Unsubscribe button.
In that case it’s very clear - the test user with the Subscriber-ID I entered isn’t changed but the user that has IPN_Signup Vars value in the database will be demoted by having the EOT date added to their account.

Is there a fallback if no IPN singup vars are found to demote the current user that clicks the button?
I actually would expect in that case both my test user as well as the user with the signup_vars to be demoted.(as in having the EOT date added to their user account).

(Due to a bug in custom_value field of a user - I have over thousand users whithout signup_vars. Also if users lose their link to register - and drop you an email and you create that user by hand - it will not have signup_vars. So I wonder what happens in those cases. Are they properly demoted?

Thanks. I looked into this too.

The duplicate subscription-ID case is corrupted data, so s2Member cannot reliably know which account is intended when two users have the same subscr_id . However, for the PayPal Checkout button flow, s2Member does know which logged-in user clicked the button.

The dev build I mentioned in your other thread, keeps the internal PayPal Checkout cancellation proxy tied to the logged-in user, after validating that the user’s stored subscription ID matches the cancellation request. This should prevent the button-triggered local EOT update from affecting a different account in this flow.

s2member-dev-v260517.0405.zip (1.4 MB)

The normal PayPal IPN/webhook flow still has to resolve users by subscription/payment identifiers, because PayPal does not send a trusted WordPress user ID.