Problem/Motivation

By default Drupal enables account creation (with verification)
This is no longer adequate since you will quickly get flooded by many, many, many spam accounts.
If you are going to enable anonymous account creation you need to set up several contrib modules to protect your site before you enable them.

Steps to reproduce

Install Drupal fresh.

Proposed resolution

Set account creation to Administrators only by default.

Remaining tasks

None

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

The default value of the "Who can register accounts?" setting has changed from "Visitors, but administrator approval is required" to "Administrators only" for any new sites built with either the "Standard" or "Minimal" installation profiles.

Issue fork drupal-3453676

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

nicxvan created an issue. See original summary.

mandclu’s picture

mandclu commented
Title: Disable account creation be default in Drupal » Disable account creation by default in Drupal

+1 for this idea. Providing the most secure option as the default makes sense.

cilefen’s picture

cilefen commented
Title: Disable account creation by default in Drupal » Make "Who can register accounts?" "Administrators only" by default

+1

dww’s picture

dww
we/he/they
commented

+1. I have to do this on every site I set up. Admin-only should be the default until folks opt-in to something more permissive.

nicxvan opened merge request !8363

nicxvan’s picture

nicxvan commented

I updated the minimal test to match new defaults.

nicxvan’s picture

nicxvan commented
Status: Active » Needs review
Issue tags: +Needs product manager review
dww’s picture

dww
we/he/they
commented
Issue summary: View changes
Status: Needs review » Reviewed & tested by the community
  1. Changes look reasonable to me, and IMHO are all in scope.
  2. Pipeline is green.
  3. I took a stab at a release note snippet (which we'll definitely need).
  4. I'm not sure if this needs a CR for distribution maintainers, too.
  5. Bumping to RTBC so the Product managers will see it and make a final call both on the change, and the need for a CR or not.

Thanks!
-Derek

nicxvan’s picture

nicxvan commented
Issue summary: View changes
lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
commented
Issue tags: -Needs product manager review

This feature to some extent goes together with the Comment module because this way you can get your username verified. I still think it makes sense to disable this behavior by default because usually if you want to accept registrations on the site, that's would be an explicit decision. It seems fine to require an extra step for that, given that there's likely couple of other extra steps you'd have to take in order to avoid getting tons of spam accounts.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented

I agree with Lauri and others above. Unfortunately the internet became a place where you need to set up extensive protections to even attempt to enable user registration publicly. :/ Most of those don't come with core so you may be in for some nasty surprises before you may have a chance to set up the tools to avoid it.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work

Added a review comment to the MR - we need to add a positive assertion to the test now that we changed an assertion to a negative one.

nicxvan’s picture

nicxvan commented

I addressed @alexpott's feedback, I'll create a change record, I didn't see anyone say it's necessary, but I suspect it will be.

nicxvan’s picture

nicxvan commented
Status: Needs work » Needs review

CR created.

dww’s picture

dww
we/he/they
commented
Status: Needs review » Reviewed & tested by the community
  1. I made a very minor edit to the CR. Agreed it’s worth having.
  2. Good catch on the test comment. Apologies I missed that. That’s what I get for quickly reviewing on my phone. 😅
  3. Changes look good. Feedback addressed. Pipeline is green.

Back to RTBC.

Thanks,
-Derek

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed
Issue tags: +11.1.0 release notes

Committed b719931 and pushed to 11.x. Thanks!

  • alexpott committed b719931e on 11.x 
    Issue #3453676 by nicxvan, alexpott, dww, lauriii, Gábor Hojtsy: Make "...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Issue tags: +11.1.0 release highlights

nicxvan closed merge request !8363

ressa’s picture

ressa
he/him
commented
Related issues: +#2658980: "Who can register accounts?" should be set to "Administrators only" by default.

Thanks for making this change, adding an older issue, suggesting the same thing, back in 2016.

ressa’s picture

ressa
he/him
commented

I suggested #3558703: Add account creation check in the great Security Review module.