Problem/Motivation
Currently two users can register with same email address: one use as username and another one use as email. When the user with the username that is an email address (that does not match their email address) navigates to user/password to reset password, they cannot receive the reset email because the user password reset form allows entering either a username or email, an the notification goes to the account that has that as the email.
Also, @catch asked for this in #111317-83: Allow users to login using either their username OR their e-mail address
Steps to reproduce:
- Create first user with username a@example.com and email b@example.com.
- Create second user with mail a@example.com and an arbitrary username.
- Go to
user/passwordto reset password, enter a@example.com. - Password email will be sent to a@example.com; the first user (with username a@example.com and the email b) will not get a password email. (The only way for them to get the password reset would be to request for the email b@example.com.)
Proposed resolution
When new users register, check the username and email fields against already registered users to make sure the username is not already registered as an email and vice versa.
To deal with already registered users who have conflicts, users who have matching emails and usernames are allowed to select which user to email the password reset link to when resetting their password.
Remaining tasks
- (done) document/update steps to test/reproduce (how to: http://drupal.org/node/1468198) (see #44, #51, )
- get screenshot of error when following the steps to reproduce, at step 2.
- get screenshot of the other way around: 1) create a user with arbitrary username and email a@example.com. 2) create another user with username a@example.com and email b@example.com
User interface changes
Password reset form UI change: If it detects a conflict with username/email, it allows the user to pick which account they meant. Screenshot:
After shot 2 in #117 shows some errors.
API changes
N/A
Original report by hefox
Seems like it should be part of validation due to how email is used. Edge case, but could happen with forgetful users.
1) Make a user with username 'example@example.com' and email != that
2) Make a user with mail 'example@example.com'
3) Go to user/pass to reset password, enter 'example@example.com'.
4) Password email will be sent to example@example.com; the first user will not be able to get a password email with username.
There should be an option to disable the password strength check in the settings for user registration. Right now it can only be disabled by a custom module with a hack messing with the javascript function that checks the password.