Blocked user existence is revealed on login form

Created on 23 January 2023, over 1 year ago

Problem/Motivation

On the standard login form (/user/login), if you try to log in with a blocked username, you'll see the message The username %name has not been activated or is blocked.

This reveals that this username is valid. Although the account is blocked, it could be reactivated in the future.

Steps to reproduce

Block a user
Visit /user/login
Try to log in as the blocked user
Note the error message The username %name has not been activated or is blocked., which reveals that this is a valid username

Proposed resolution

The error message is set in core's UserLoginForm::validateName function, which is added as a validation function in ::buildForm. Because this is the first validation function that runs, it reveals the account's existence even if you enter an invalid password.

Validating blocked user names is the only task of ::validateName, so we could alter this form to replace this validation function with our own.

Remaining tasks

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇦🇺Australia tallytarik

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @tallytarik

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024