Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When a user is pre-authorized their e-mail address has not yet been validated. This allows to register accounts using e-mailadresses that belong to other people. To prevent possible abuse no e-mails should ever be sent out to pre-authorized users, except ones that are needed to recover a lost account, such as the 'user registration' messages and 'password reset' messages.
Comment | File | Size | Author |
---|---|---|---|
#13 | 1901964-13-logintoboggan_do_not_mail_pre_auth.patch | 1.89 KB | stevecowie |
#1 | 1901964-1-logintoboggan-do_not_mail_pre_auth.patch | 2.11 KB | pfrenssen |
Comments
Comment #1
pfrenssenComment #2
ppelgrims CreditAttribution: ppelgrims commentedAfter applying the patch and testing I ran into the following messages:
This sounds contradictory but I didn't receive the e-mail (Yay!) I reckon this patch needs a little bit more work in order to prevent said messages from being displayed.
edit: Ignore this, it's probably related to my set up.
Comment #3
ppelgrims CreditAttribution: ppelgrims commentedSorry it took me so long to get back to this. This works but I still got a message saying the e-mail was sent. I used disable_messages to get rid of it.
On the settings page I entered this:
Don't forget the punctuation!
Comment #4
ppelgrims CreditAttribution: ppelgrims commentedMaybe some more people need to test this?
Comment #5
pfrenssenThanks for testing! I totally forgot about this issue. It's possible you get the message, but that is then probably a bug in core, this patch just sets the 'send' flag in hook_mail_alter() as documented:
I wonder if this is not a minor security risk? I can imagine some scenarios in which users can trigger mails to be sent (for example when a mail is sent out to users whenever a news article is posted) and they could technically set up a spam service by maliciously registering hundreds of email addresses and then posting an article.
I'm going to raise the priority on this to catch the attention of the maintainers.
Comment #6
ppelgrims CreditAttribution: ppelgrims commentedYou reckon they'd use Drupal for that? I guess that's outside the scope of this issue anyway, haha
Comment #7
pfrenssenNo I mean you could abuse an existing Drupal site for that, for example a forum could have a feature to notify all users when a sticky is posted. It's quite an unlikely scenario though :)
Comment #8
ppelgrims CreditAttribution: ppelgrims commentedCan we get this in the new dev version and eventually in the next release? Thanks!
Comment #9
stevecowie CreditAttribution: stevecowie commentedThis makes sense to me so I'll do some tests and confirm it works as expected.
Comment #10
dooug CreditAttribution: dooug at Promet Source commented@Stevecowie, you still on this?
Comment #11
stevecowie CreditAttribution: stevecowie commentedYep. Will get an update on this within the next 48 hours.
Comment #12
sibopa CreditAttribution: sibopa commentedI know this is almost a year old.
I think we can create a simple rule to block user with "pre-authorized" role?
Comment #13
stevecowie CreditAttribution: stevecowie commentedI tested the patch at #1 and it applies and does the job. The problem of misleading messages still exists so I added a watchdog message to the patch, which would hopefully alert the site admin to the problem.
I also did some digging into the possibility of hiding misleading messages but it's not easily achievable with the core contact form because the sent message is generated after drupal_mail has been called. Also, even if there's a workaround for that use case, mails can be sent by any number of contrib modules so it would be impossible to catch every case. Nevertheless, I think it's worth applying the patch as it stands because there is a monor security risk here that matters more than the misleading status message.
Comment #15
stevecowie CreditAttribution: stevecowie commented