Whenever I create a new account It asks for email, user name and etc but It takes the same credentials in the respective fields that I have used for previous user creation and I think drupal doesn't allow to use same email for 2 or more different people.
I think it's storing on local but there is no use of it.
Beta phase evaluation
Issue category | Bug because this is a regression in privacy from previous versions of Drupal (Drupal 7). |
---|---|
Issue priority | Major because this issue goes against general privacy expectations from an end-user standpoint. |
Prioritized changes | The main goal of this issue is usability. Having a previous user’s “private” email or username displayed to any following user who happens to access user/register on a given machine is counterintuitive and violates reasonable privacy expectations. |
Comment | File | Size | Author |
---|---|---|---|
#66 | interdiff_65-66.txt | 564 bytes | Nitin shrivastava |
#66 | 2409107-66.patch | 6.22 KB | Nitin shrivastava |
#65 | core-autofill-2409107-65.patch | 6.64 KB | DonAtt |
#64 | 2409107-nr-bot.txt | 158 bytes | needs-review-queue-bot |
#62 | core-autofill-2409107-62.patch | 6.21 KB | DonAtt |
Issue fork drupal-2409107
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
jeet09 CreditAttribution: jeet09 commentedComment #2
YesCT CreditAttribution: YesCT commentedThank you for opening this issue and attaching the screenshot.
The tag for the sprint, according to https://groups.drupal.org/node/447258 should be SprintWeekend2015 (no #).
Also, tags should be separated by comma, not a space.
In this case the component is find, we dont want a new tag #user module.
---
Please embed the screenshots into the issue summary.
The browser plugin from http://dreditor.org is what some contributors use to make that easier to do.
Comment #3
idebr CreditAttribution: idebr commentedI updated the issue title to describe the issue described in the issue summary.
Comment #4
YesCT CreditAttribution: YesCT commentedI pulled my 8.0.x to make sure I had the latest.
I installed.
I am not able to create any account using an email already used by a user.
I am not able to create any account using a username already used by a user.
Is your problem that the form fields at admin/people/create are prefilled with already used values, .... but the form errors ok, or is the form submitting ok?
user/register
is also having errors nicely when submitting the form with a username (or an email) that is already in use by a user.
Comment #5
YesCT CreditAttribution: YesCT commentedhmm.
logging out, and using the url
user/register
submitting, and then again
user/register
I do get the form pre-filled with values I have previously used. but it errors fine if I try to resubmit the form with same values.
I think this is fine.
note admin/people/create is not pre-filling (if I am logged in as admin and using the page over and over)
Comment #6
jeet09 CreditAttribution: jeet09 commentedsometimes same browser is shared by 2 or 3 users and if one user is registering and another user comes up and open registration, the form values are already filled with previous user registered values any way drupal won't allow to use same email/username but I think it's not good.
Comment #7
RavindraSingh CreditAttribution: RavindraSingh commentedAs per user experience it should be fixed.
Let me give you an example. If there is a D8 drupal site is getting used by the educational institutes, And the same system is getting using by staff and students. is that case it should not show the last email id registered from the system(Browser) is visible for the next one.
We should fix it.
Comment #8
mglamanAfter some digging, it is a browser data attribute being set on the form.
cgit link
When this line is commented out, the reported issue does not happen. Found this change notice when I did a Google search of the data attribute - https://www.drupal.org/node/2243627
Comment #9
alimac CreditAttribution: alimac commentedComment #10
YesCT CreditAttribution: YesCT commentedin drupal 8
when I do a ag (like grep but better)
ag data-user-info-from-browser
I get:
Comment #11
mglamanLinking issue which added this to D8 - #749748: Contact, register and comment forms do not prefill with user info from browser
Comment #12
mglaman*actually* linking.
Comment #13
shaktikI pulled my 8.0.x
admin/people/create
user/register
I'm not able to create any account using an email already used by a user.
I'm not able to create any account using a username already used by a user.
i think its working fine.
Comment #14
David_Rothstein CreditAttribution: David_Rothstein commentedRetitling to be clear about what the issue is, and bumping to major to evaluate the potential privacy concerns. (I wouldn't call this critical really, since browsers do remember email addresses in other ways typically, but it seems very unexpected from a privacy perspective that if you go to a public computer, register for an account on a Drupal site, close the browser when you're done... the next person who comes along sees your private email address staring them in the face when they load the form.)
Comment #15
Bojhan CreditAttribution: Bojhan commentedComment #16
David_Rothstein CreditAttribution: David_Rothstein commentedAdjusting title - the email address is the worst part but populating it with the last person's username is wrong too.
Comment #17
nod_Those info and this behavior used to be inside cookies with a 365 days expiration. Now it's in localStorage with no expiration date.
As you can see in the related issue, breaking this behavior was considered a bug. I'm fine with it, just get rid of
drupal.form
library and the data attribute in the register form and we'll be done with it.Comment #18
phillamb168 CreditAttribution: phillamb168 as a volunteer commentedThis is a triage at the Los Angeles Sprints. @cilefen and I did the triage.
The issue summary is up-to-date but could be rewritten to improve legibility.
The issue can be reproduced by registering on a given D8 site (e.g., http://d8.dev/user/register), entering a username and email address, submitting the form, and then reloading the user/register page. Clearing local browser data removes the preloaded data, however.
#749748: Contact, register and comment forms do not prefill with user info from browser was the issue that introduced this bug.
This issue was marked as Major by an experienced contributor in comment #14 and we agree with the assessment. Normal issues have “isolated impact”. This issue will occur on all browsers, and there is a privacy impact.
Comment #19
xjm(Saving proposed issue credit for discussion and triage participants at LA.)
Comment #20
cilefen CreditAttribution: cilefen commentedComment #21
mgiffordRe-uploading patch for the bots.
Comment #22
cilefen CreditAttribution: cilefen commentedComment #23
prasad_gogate CreditAttribution: prasad_gogate at Acquia commented@prasad_gogate looking into this issue
Comment #24
prasad_gogate CreditAttribution: prasad_gogate at Acquia commentedIssue is not replicate.
Tried to created users with the user registration form
Steps
Version tested - 8.1.0-dev
Comment #25
prasad_gogate CreditAttribution: prasad_gogate at Acquia commentedThe issue is not yet triaged as a current major hence un-tagging
Comment #26
cilefen CreditAttribution: cilefen commentedI think this issue refers to self-registration. Can you please try again?
Comment #27
cilefen CreditAttribution: cilefen commentedAnd, this is a bug so you should test on 8.0.x also to be sure.
Comment #28
xjm@cilefen: Yep, @prasad_gogate, @nagwani, and I untagged the issue because it was accidentally the wrong tag, but we figured we were missing a step to reproduce the issue properly given comments from @David_Rothstein and yourself above. @nagwani was working on trying to reproduce the issue in 8.0.x as of when it was filed but not sure if that got done among all the other triage work. :) Thanks!
Comment #29
xjm(Updating issue credit for the major triage.)
Comment #35
Shamsher_Alam CreditAttribution: Shamsher_Alam as a volunteer commentedI am facing the same issue. When the user registers form and clicks again on registration, still show laster user register detail. i can reproduce this issue on latest Drupal 8 release.
Comment #36
Shamsher_Alam CreditAttribution: Shamsher_Alam as a volunteer commented#21 worked for me.
Comment #37
Shamsher_Alam CreditAttribution: Shamsher_Alam as a volunteer commented#21 worked.
Comment #38
Adam Neutrik CreditAttribution: Adam Neutrik commented#21 worked. Awesome work here! I bow my thanks.
Comment #39
Shamsher_Alam CreditAttribution: Shamsher_Alam as a volunteer commentedComment #40
alexpottShould we be making a general decision about this behaviour? We use the same feature in comments and contact forms for anonymous users. If you submit a contact form on a site I['m not sure I'd expect the site to dump my email address into local storage on that computer.
Comment #41
alexpottI think this needs a product manager review to decide if the behaviour of storing user input indefinitely on a computer for anonymous users is desired.
Comment #42
alexpottThis feature was added in #440876: Reuse comment.module's anonymous cookie information
Comment #43
Shamsher_Alam CreditAttribution: Shamsher_Alam as a volunteer commentedWorking fine.
Comment #44
Rob C CreditAttribution: Rob C commentedAnd lets set that back to needs review for the product manager. Thanks.
@alexpott "Reuse comment.module's anonymous cookie information"
Did some work on cookies last couple months:
- Contact and comment indeed set cookies in this way that contain the name and e-mail (homepage). (search for 'user_cookie_save' in D7)
This maybe should be an option/additional param or something, these cookies are now always set and the only way to stop it is clone the submit function and drop the line that sets the cookie. I had to clone the submit and remove the cookie cause of gdpr.
(and gdpr is 1 but what about eprivacy next year, these cookies contain data that should not be stored like this, or at least - not without consent) (i vote to just remove them completely, taking into account all upcoming changes to privacy, storing data, etc).
My 5 cents: we should not store anything like this. Cause 'desired': not by me, it is actually a hurdle now to fix it for all my visitors... I disabled contact and do not use comment, switched it all for a simple form, wasted some nice private time on this.
hindsight: we should test these in the future, cause the eprivacy amendment already existed back in 2009 and nobody tested if the issue had to conform to any law i guess?
(Side-note: think we need a cookie api...)
Comment #46
AmolB CreditAttribution: AmolB commentedUser mglaman's comment worked for me.
Added the code in form_alter function:
$form['#attributes']['data-user-info-from-browser'] = FALSE;
And it worked.
Thanks mglaman
Comment #47
cilefen CreditAttribution: cilefen commentedComment #48
eelkeblokThe patch seems pretty straight-forward, and I think it is pretty universally agreed that this is undesirable behaviour. Does it make sense to just merge this? Does it need a test to make sure no one comes up with this again?
Although it does raise questions whether prefilling this information is a good idea at all, I think that question is not as nuanced for the registration form than for the comment form.
Comment #51
mkolar CreditAttribution: mkolar at Ciklum Western Europe for BurdaForward commentedUsing for already some time on our project, I guess this is ready to be merged.
Comment #52
larowlanThis still needs product manage review, I'll ping some folks
Comment #53
Gábor HojtsyI think this is fine. The only negative side effect I can think of is manual UI testing will be harder because you will need to enter credentials manually. But that is an edge case and normal operation security improvements should not be held by that.
Comment #54
alexpott@Gábor Hojtsy should we create issues for the other places this is used. I think the same holds true for anonymously commenting.
Comment #55
alexpottI still feel that this not really a fix. We're still storing the data in local storage. This only means that it is not displayed if someone visits the user create form. We need to remove the ability to store personal information in local storage. We shouldn't be saving it for anonymous comments or anonymous use of the contact form. At least the user creation form doesn't usually have the form.js javascript on it because if it did then that would also save these details. But all I'd have to do make this happen is add a text with summary field to the User entity via the UI and allow it to be filled in on the registration form.
Comment #56
nod_for that we can use the Clear-Site-Data header, to empty localstorage, serviceworkers, cookies, etc. I'm using that in the PWA module to clear things on login/logout. To me core should use that header to nuke everything on user logout.
What I did is that on login I clear all the storages (localstorage, serviceworkers, indexdb), and on logout I clear storage and cookies.
Comment #57
alexpott@nod_ I think this is different. I think we should never be storing this stuff in local storage. For the Clear-Site-Data header to work you need to log out. This stuff is recorded even if you never log in.
Comment #58
nod_so something like this?
Comment #62
DonAtt CreditAttribution: DonAtt as a volunteer commentedRe-rolled patch #58 for 9.4.x
Also removed this part from the test:
Comment #64
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #65
DonAtt CreditAttribution: DonAtt as a volunteer commentedRe-roll for 9.5.x
Comment #66
Nitin shrivastava CreditAttribution: Nitin shrivastava at OpenSense Labs commentedTry to Fix CCF errors.
Comment #67
Austin986 CreditAttribution: Austin986 as a volunteer commentedI found this issue is still active in D10.0.9
What is the point to keep previous email and user name in register form?
Any patch or fix for D10 ?
Comment #71
idimopoulos CreditAttribution: idimopoulos for European Commission and European Union Institutions, Agencies and Bodies commentedRerolled patch 66 for 10.1.x and 11.x.
However, I should note that this is a blind reroll. Did not check if there are any changes in core that might affect this.