I'm not sure if this is a "feature" or an ommission?

Consider the following chain of events ...
- User signs up and recieves validation email
- Users account is blocked by admin
- User is unable to login (which is desired)
but -user then clicks on validation link and is logged in.

This behaviour is made possible as no check is made to see if the user status is set to 1 before handing control over to the logintoboggan_process_login function within the logintoboggan_validate_email - perhaps adding something like this

function logintoboggon_validate_email( ....
...
...
     switch ($action) {
        // Proceed with normal user login.
        case 'login':
/**
* Only actually carry out the logon if the account->status is not 0
*/
          if ($account->status){
            drupal_set_message(t('You have successfully validated your e-mail address.'));
            drupal_goto(logintoboggan_process_login($account, $redirect));
          }
          else{
            drupal_set_message(t('Your account has been blocked or is not yet activated'));
          }
          break;
...
...

Comments

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented
Status: Active » Fixed

fix applied to 4.7/HEAD. see http://drupal.org/cvs?commit=48277 for details.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)