diff --git a/core/modules/user/lib/Drupal/user/AccountFormController.php b/core/modules/user/lib/Drupal/user/AccountFormController.php
index 2c6f182..cd66fb5 100644
--- a/core/modules/user/lib/Drupal/user/AccountFormController.php
+++ b/core/modules/user/lib/Drupal/user/AccountFormController.php
@@ -256,16 +256,31 @@ abstract class AccountFormController extends EntityFormController {
if ($error = user_validate_name($form_state['values']['name'])) {
form_set_error('name', $error);
}
- // Cast the user ID as an integer. It might have been set to NULL, which
- // could lead to unexpected results.
else {
- $name_taken = (bool) db_select('users')
- ->fields('users', array('uid'))
- ->condition('uid', (int) $account->uid, '<>')
- ->condition('name', db_like($form_state['values']['name']), 'LIKE')
- ->range(0, 1)
- ->execute()
- ->fetchField();
+ // For new registrations, make sure the username does not conflict with an
+ // existing user's email address.
+ if (empty($account->uid)) {
+ $name_taken = (bool) db_select('users')
+ ->fields('users', array('uid'))
+ ->condition(
+ db_or()
+ ->condition('name', db_like($form_state['values']['name']), 'LIKE')
+ ->condition('mail', db_like($form_state['values']['name']), 'LIKE')
+ )->range(0, 1)
+ ->execute()
+ ->fetchField();
+ }
+ else {
+ // Cast the user ID as an integer. It might have been set to NULL,
+ // which could lead to unexpected results.
+ $name_taken = (bool) db_select('users')
+ ->fields('users', array('uid'))
+ ->condition('uid', (int) $account->uid, '<>')
+ ->condition('name', db_like($form_state['values']['name']), 'LIKE')
+ ->range(0, 1)
+ ->execute()
+ ->fetchField();
+ }
if ($name_taken) {
form_set_error('name', t('The name %name is already taken.', array('%name' => $form_state['values']['name'])));
@@ -276,13 +291,28 @@ abstract class AccountFormController extends EntityFormController {
$mail = $form_state['values']['mail'];
if (!empty($mail)) {
- $mail_taken = (bool) db_select('users')
- ->fields('users', array('uid'))
- ->condition('uid', (int) $account->uid, '<>')
- ->condition('mail', db_like($mail), 'LIKE')
- ->range(0, 1)
- ->execute()
- ->fetchField();
+ // For new registrations, make sure the email address does not conflict with
+ // an existing user's username.
+ if (empty($account->uid)) {
+ $mail_taken = (bool) db_select('users')
+ ->fields('users', array('uid'))
+ ->condition(
+ db_or()
+ ->condition('mail', db_like($mail), 'LIKE')
+ ->condition('name', db_like($mail), 'LIKE')
+ )->range(0, 1)
+ ->execute()
+ ->fetchField();
+ }
+ else {
+ $mail_taken = (bool) db_select('users')
+ ->fields('users', array('uid'))
+ ->condition('uid', (int) $account->uid, '<>')
+ ->condition('mail', db_like($mail), 'LIKE')
+ ->range(0, 1)
+ ->execute()
+ ->fetchField();
+ }
if ($mail_taken) {
// Format error message dependent on whether the user is logged in or not.
diff --git a/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php b/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php
index 6bf60bc..0a5fcd5 100644
--- a/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php
+++ b/core/modules/user/lib/Drupal/user/Tests/UserEditTest.php
@@ -99,4 +99,30 @@ class UserEditTest extends WebTestBase {
$this->drupalPost("user/$user1->uid/edit", array('mail' => ''), t('Save'));
$this->assertRaw(t("The changes have been saved."));
}
+
+ /**
+ * Check that existing users whose username matches another user's email
+ * address or vice versa are not forced to update their username or email
+ * address.
+ */
+ function testUserEditWithConflicts() {
+ $user_with_email = $this->drupalCreateUser();
+ $user_with_name = $this->drupalCreateUser();
+
+ // Change the second user's username to the same value as the first user's
+ // email address.
+ $user_with_name->name = $user_with_email->mail;
+ $user_with_name->save();
+
+ // Test that the first user can save their account with no errors.
+ $this->drupalLogin($user_with_email);
+ $this->drupalPost("user/$user_with_email->uid/edit", array(), t('Save'));
+ $this->assertText(t("The changes have been saved."), "The user does not need to change their username if it matches another user's email address.");
+ $this->drupalLogout();
+
+ // Test that the second user can save their account with no errors.
+ $this->drupalLogin($user_with_name);
+ $this->drupalPost("user/$user_with_name->uid/edit", array(), t('Save'));
+ $this->assertText(t("The changes have been saved."), "The user does not need to change their email address if it matches another user's username.");
+ }
}
diff --git a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
index 575409f..85a95ef 100644
--- a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
@@ -24,6 +24,60 @@ class UserPasswordResetTest extends WebTestBase {
}
/**
+ * Attempts to reset a password when an email address matches two accounts.
+ */
+ function testUserPasswordResetDuplicateUsers() {
+ // Don't require email validation for new accounts.
+ variable_set('user_email_verification', FALSE);
+
+ // Don't require admin approval for new accounts.
+ variable_set('user_register', USER_REGISTER_VISITORS);
+
+ // Create two users.
+ $user_with_email = $this->drupalCreateUser();
+ $user_with_name = $this->drupalCreateUser();
+
+ // Change the second user's username to the same value as the first user's
+ // email address.
+ $user_with_name->name = $user_with_email->mail;
+ $user_with_name->save();
+
+ // Try and reset based on the duplicated email.
+ $edit = array();
+ $edit['name'] = $user_with_email->mail;
+ $this->drupalPost('user/password', $edit, t('E-mail new password'));
+ // There should be a field prompting the user to pick and account.
+ $this->assertField('choose_account', 'User is prompted to pick an account when email matches two accounts.');
+ // We should be sure to not expose another user's email to the user.
+ $this->assertNoText($user_with_name->mail, "Duplicated user's email is not exposed to the other user.");
+
+ // Select the account with the username matching the entered email.
+ $edit = array();
+ $edit['choose_account'] = drupal_hash_base64(drupal_get_hash_salt() . $user_with_email->uid);
+ $this->drupalPost(NULL, $edit, t('E-mail new password'));
+ $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'User is notified that password reset was sent.');
+
+ // Make sure that right user was sent a reset email.
+ $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_email->mail))), 1, 'The right user was sent a password reset mail.');
+ // Make sure that the other user was not sent an email.
+ $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_name->mail))), 0, 'The other user was not sent a password reset mail.');
+
+ // If the user is logged in, they should not have to choose an account to
+ // reset their password.
+ $this->drupalLogin($user_with_name);
+ $this->drupalGet('user/password');
+ // There should not be a form element for name.
+ $this->assertNoField('name', 'Duplicate user is not asked for a name when resetting password while logged in.');
+ $this->drupalPost(NULL, array(), t('E-mail new password'));
+ // Make sure the user with the matching username was sent an email.
+ $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'User is notified that password reset was sent when logged in.');
+ $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_name->mail))), 1, 'The right user was sent a password reset mail when logged in.');
+ // Make sure that the user with the matching email address was not sent an
+ // email. (An email was already sent to this user earlier.)
+ $this->assertEqual(count($this->drupalGetMails(array('key' => 'password_reset', 'to' => $user_with_email->mail))), 1, 'The other user was not sent a password reset mail when logged in.');
+ }
+
+ /**
* Tests password reset functionality.
*/
function testUserPasswordReset() {
diff --git a/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php b/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php
index d89192f..75ba0b7 100644
--- a/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php
+++ b/core/modules/user/lib/Drupal/user/Tests/UserRegistrationTest.php
@@ -148,6 +148,43 @@ class UserRegistrationTest extends WebTestBase {
$this->assertText(t('The e-mail address @email is already registered.', array('@email' => $duplicate_user->mail)), t('Supplying a duplicate email address with added whitespace displays an error message'));
}
+ /**
+ * Ensure that a new account cannot be created when the username matches an
+ * existing user's email address, or when the email address matches an
+ * existing user's username.
+ */
+ function testRegistrationConflicts() {
+ // Don't require e-mail verification.
+ variable_set('user_email_verification', FALSE);
+
+ // Allow registration by site visitors without administrator approval.
+ variable_set('user_register', USER_REGISTER_VISITORS);
+
+ // Set up a user to check for duplicates.
+ $duplicate_user = $this->drupalCreateUser();
+
+ $edit = array();
+ $edit['name'] = $duplicate_user->mail;
+ $edit['mail'] = $this->randomName() . '@example.com';
+
+ // Attempt to create a new account using a username that matches an
+ // existing email.
+ $this->drupalPost('user/register', $edit, t('Create new account'));
+ $this->assertText(t('The name @name is already taken.', array('@name' => $edit['name'])), "A user cannot be created when their username matches an existing user's email address.");
+
+ // Change the username to an email address.
+ $duplicate_user->name = $name = $this->randomName() . '@example.com';
+ $duplicate_user->save();
+
+ $edit['name'] = $this->randomName();
+ $edit['mail'] = $name;
+
+ // Attempt to create a new account using an email that matches an existing
+ // username.
+ $this->drupalPost('user/register', $edit, t('Create new account'));
+ $this->assertText(t('The e-mail address @email is already registered.', array('@email' => $edit['mail'])), "A user cannot be created when their email address matches an existing username.");
+ }
+
function testRegistrationDefaultValues() {
$config = config('user.settings');
// Don't require e-mail verification and allow registration by site visitors
diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index d26ca6d..1458ee7 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -32,62 +32,136 @@ function user_autocomplete($string = '') {
* @see user_pass_validate()
* @see user_pass_submit()
*/
-function user_pass() {
+function user_pass($form, &$form_state) {
global $user;
- $form['name'] = array(
- '#type' => 'textfield',
- '#title' => t('Username or e-mail address'),
- '#size' => 60,
- '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH),
- '#required' => TRUE,
- );
- // Allow logged in users to request this also.
- if ($user->uid > 0) {
- $form['name']['#type'] = 'value';
- $form['name']['#value'] = $user->mail;
- $form['mail'] = array(
- '#prefix' => '',
- '#markup' => t('Password reset instructions will be mailed to %email. You must log out to use the password reset link in the e-mail.', array('%email' => $user->mail)),
- '#suffix' => '
',
+ // When a user requests a password reset we check for username and email
+ // conflicts using a multistep form.
+ if (empty($form_state['step'])) {
+ $form_state['step'] = 1;
+ }
+
+ if ($form_state['step'] == 1) {
+ $form['name'] = array(
+ '#type' => 'textfield',
+ '#title' => t('Username or e-mail address'),
+ '#size' => 60,
+ '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH),
+ '#required' => TRUE,
);
+ // Allow logged in users to request this also.
+ if ($user->uid > 0) {
+ $form['name']['#type'] = 'value';
+ $form['name']['#value'] = $user->mail;
+ $form['mail'] = array(
+ '#prefix' => '',
+ '#markup' => t('Password reset instructions will be mailed to %email. You must log out to use the password reset link in the e-mail.', array('%email' => $user->mail)),
+ '#suffix' => '
',
+ );
+ }
+ }
+ else {
+ // Where there is a conflict between the username and email address for two
+ // users we supply both accounts as an option for the password reset.
+ $accounts = $form_state['storage']['accounts'];
+ $options = array();
+ foreach ($accounts as $account) {
+ $label = t('The account with the username: @name', array('@name' => $account->name));
+ if ($account->mail == $form_state['storage']['name']) {
+ $label = t('The account with the email address: @email', array('@email' => $account->mail));
+ }
+ $options[drupal_hash_base64(drupal_get_hash_salt() . $account->uid)] = $label;
+ }
+ $form['choose_account'] = array(
+ '#type' => 'radios',
+ '#title' => t('Choose account'),
+ '#required' => TRUE,
+ '#prefix' => "" . t("There is a username conflict with the email address @email. Please select which account password to reset.", array('@email' => $form_state['storage']['name'])) . "
",
+ '#options' => $options,
+ '#default_value' => drupal_hash_base64(drupal_get_hash_salt() . reset($accounts)->uid),
+ );
+
}
$form['actions'] = array('#type' => 'actions');
- $form['actions']['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password'));
+ if ($form_state['step'] == 2) {
+ $form['actions']['cancel'] = array(
+ '#type' => 'submit',
+ '#value' => t('Cancel'),
+ '#name' => 'cancel',
+ '#limit_validation_errors' => array(),
+ );
+ }
+ $form['actions']['submit'] = array(
+ '#type' => 'submit',
+ '#value' => t('E-mail new password'),
+ '#name' => 'submit'
+ );
return $form;
}
function user_pass_validate($form, &$form_state) {
- $name = trim($form_state['values']['name']);
- // Try to load by email.
- $users = entity_load_multiple_by_properties('user', array('mail' => $name, 'status' => '1'));
- $account = reset($users);
- if (!$account) {
- // No success, try to load by name.
- $users = entity_load_multiple_by_properties('user', array('name' => $name, 'status' => '1'));
- $account = reset($users);
- }
- if (isset($account->uid)) {
- form_set_value(array('#parents' => array('account')), $account, $form_state);
- }
- else {
- form_set_error('name', t('Sorry, %name is not recognized as a username or an e-mail address.', array('%name' => $name)));
+ if ($form_state['step'] == 1) {
+ $name = trim($form_state['values']['name']);
+ $accounts = array();
+ // Try to load by email.
+ $users = entity_load_multiple_by_properties('user', array('mail' => $name, 'status' => '1'));
+ $account_by_email = reset($users);
+ if ($account_by_email) {
+ $accounts[drupal_hash_base64(drupal_get_hash_salt() . $account_by_email->uid)] = $account_by_email;
+ }
+ // Also try to load by user name, but only when the user is not logged in.
+ global $user;
+ if ($user->uid == 0) {
+ $users = entity_load_multiple_by_properties('user', array('name' => $name, 'status' => '1'));
+ $account_by_name = reset($users);
+ if ($account_by_name) {
+ $accounts[drupal_hash_base64(drupal_get_hash_salt() . $account_by_name->uid)] = $account_by_name;
+ }
+ }
+ if (!empty($accounts)) {
+ form_set_value(array('#parents' => array('accounts')), $accounts, $form_state);
+ }
+ else {
+ form_set_error('name', t('Sorry, %name is not recognized as a username or an e-mail address.', array('%name' => $name)));
+ }
}
}
function user_pass_submit($form, &$form_state) {
$language_interface = language(LANGUAGE_TYPE_INTERFACE);
- $account = $form_state['values']['account'];
- // Mail one time login URL and instructions using current language.
- $mail = _user_mail_notify('password_reset', $account, $language_interface);
- if (!empty($mail)) {
- watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail));
- drupal_set_message(t('Further instructions have been sent to your e-mail address.'));
+ if ($form_state['step'] == 1) {
+ $accounts = $form_state['values']['accounts'];
+ if (count($accounts) > 1) {
+ $form_state['step'] = 2;
+ $form_state['storage']['name'] = $form_state['values']['name'];
+ $form_state['storage']['accounts'] = $accounts;
+ $form_state['rebuild'] = TRUE;
+ }
+ else {
+ $account = reset($accounts);
+ }
+ }
+ else {
+ if ($form_state['clicked_button']['#name'] == 'submit') {
+ $chosen_account = $form_state['values']['choose_account'];
+ $account = $form_state['storage']['accounts'][$chosen_account];
+ }
+ else {
+ $form_state['redirect'] = 'user/password';
+ }
}
+ if (isset($account)) {
+ // Mail one-time login URL and instructions using current language.
+ $mail = _user_mail_notify('password_reset', $account, $language_interface);
+ if (!empty($mail)) {
+ watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail));
+ drupal_set_message(t('Further instructions have been sent to your e-mail address.'));
+ }
- $form_state['redirect'] = 'user';
+ $form_state['redirect'] = 'user';
+ }
return;
}