Contrib.social

Blocked user existence is revealed on login form

Open on Drupal.org β†’
Created on 23 January 2023, almost 2 years ago

Problem/Motivation

On the standard login form (/user/login), if you try to log in with a blocked username, you'll see the message The username %name has not been activated or is blocked.

This reveals that this username is valid. Although the account is blocked, it could be reactivated in the future.

Steps to reproduce

  1. Block a user
  2. Visit /user/login
  3. Try to log in as the blocked user
  4. Note the error message The username %name has not been activated or is blocked., which reveals that this is a valid username

Proposed resolution

The error message is set in core's UserLoginForm::validateName function, which is added as a validation function in ::buildForm. Because this is the first validation function that runs, it reveals the account's existence even if you enter an invalid password.

Validating blocked user names is the only task of ::validateName, so we could alter this form to replace this validation function with our own.

Remaining tasks

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia tallytarik

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024