Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm not sure if this is a "feature" or an ommission?
Consider the following chain of events ...
- User signs up and recieves validation email
- Users account is blocked by admin
- User is unable to login (which is desired)
but -user then clicks on validation link and is logged in.
This behaviour is made possible as no check is made to see if the user status is set to 1 before handing control over to the logintoboggan_process_login function within the logintoboggan_validate_email - perhaps adding something like this
function logintoboggon_validate_email( ....
...
...
switch ($action) {
// Proceed with normal user login.
case 'login':
/**
* Only actually carry out the logon if the account->status is not 0
*/
if ($account->status){
drupal_set_message(t('You have successfully validated your e-mail address.'));
drupal_goto(logintoboggan_process_login($account, $redirect));
}
else{
drupal_set_message(t('Your account has been blocked or is not yet activated'));
}
break;
...
...
Comments
Comment #1
hunmonk CreditAttribution: hunmonk commentedfix applied to 4.7/HEAD. see http://drupal.org/cvs?commit=48277 for details.
Comment #2
(not verified) CreditAttribution: commented