- Issue created by @tallytarik
On the standard login form (/user/login), if you try to log in with a blocked username, you'll see the message The username %name has not been activated or is blocked.
This reveals that this username is valid. Although the account is blocked, it could be reactivated in the future.
The username %name has not been activated or is blocked.
, which reveals that this is a valid usernameThe error message is set in core's UserLoginForm::validateName
function, which is added as a validation function in ::buildForm
. Because this is the first validation function that runs, it reveals the account's existence even if you enter an invalid password.
Validating blocked user names is the only task of ::validateName
, so we could alter this form to replace this validation function with our own.
Active
1.0
Code