Drupal's built-in user/regisiter correctly does not allow regisgtration while in maintenance, but logintoboggan's unified login/register form still shows the register tab when in maintenance mode and allows its use. After submitting the register form the user is shown the maintenance page but the new account is created.

I've patched logintoboggan.module by simply returning the login form if in maintenance mode:

/**
 * Builds a unified login form.
 *
 * @param $active_form
 *   Which form to display, should be 'login' or 'register'.
 */
function logintoboggan_unified_login_form($active_form = 'login') {
  $login_form = drupal_get_form('user_login');
  // Don't allow register in maintenance mode
  if (variable_get('maintenance_mode', 0)) {
    return $login_form;
  }
  // ETC.....

I'm not sure if there are any other cases to cover e.g. blocks.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dooug’s picture

Priority: Normal » Major

This sounds like a major issue in expected behavior. Can someone roll a patch for this and test to confirm?

dooug’s picture

Version: 7.x-1.3 » 7.x-1.x-dev
Status: Active » Needs review
FileSize
964 bytes

I rolled the patch and tested. It is a simple enough solution.

However, I'd like to welcome any feedback for other solutions other than simply not showing the unified log-in.

robcarr’s picture

Status: Needs review » Needs work

This is also a problem if the 'Who can register accounts? Administrators only' option is selected (Admin > Config > People > Account settings).

The unified login form allows other users to register for an account.

Although the patch you've written addresses the issue you've described, the root problem is that LoginToboggan bypasses relevant permissions on user registration.