Allow password reset on account with the username matching another email; prevent registrations that match another account

Created on 2 December 2011, about 13 years ago
Updated 12 June 2023, over 1 year ago

Problem/Motivation

Currently two users can register with same email address: one use as username and another one use as email. When the user with the username that is an email address (that does not match their email address) navigates to user/password to reset password, they cannot receive the reset email because the user password reset form allows entering either a username or email, an the notification goes to the account that has that as the email.

Also, @catch asked for this in #111317-83: Allow users to login using either their username OR their e-mail address

Steps to reproduce:

  1. Create first user with username a@example.com and email b@example.com.
  2. Create second user with mail a@example.com and an arbitrary username.
  3. Go to user/password to reset password, enter a@example.com.
  4. Password email will be sent to a@example.com; the first user (with username a@example.com and the email b) will not get a password email. (The only way for them to get the password reset would be to request for the email b@example.com.)

Proposed resolution

When new users register, check the username and email fields against already registered users to make sure the username is not already registered as an email and vice versa.

To deal with already registered users who have conflicts, users who have matching emails and usernames are allowed to select which user to email the password reset link to when resetting their password.

Remaining tasks

User interface changes

Password reset form UI change: If it detects a conflict with username/email, it allows the user to pick which account they meant. Screenshot:

After shot 2 in #117 shows some errors.

API changes

N/A

Original report by hefox

Seems like it should be part of validation due to how email is used. Edge case, but could happen with forgetful users.

1) Make a user with username 'example@example.com' and email != that
2) Make a user with mail 'example@example.com'
3) Go to user/pass to reset password, enter 'example@example.com'.
4) Password email will be sent to example@example.com; the first user will not be able to get a password email with username.

There should be an option to disable the password strength check in the settings for user registration. Right now it can only be disabled by a custom module with a hack messing with the javascript function that checks the password.

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component
User module 

Last updated about 20 hours ago

Created by

🇺🇸United States hefox

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024