Drupal 7 core security update 7.35 introduced a change to the password rehashing adds an extra uid argument to the function user_pass_rehash which is used by logintoboggan_eml_rehash and generates a different password hash to what Core now produces. This results in a hashing failure and results in the message
confirmation link has expired
when logintobboggan is used to handle email validation for the purpose of removing a temporary role and granting a more privilaged role.
The end result is that users cannot confirm their email address and are unable to promote their user accounts to a more functional role.
I've attached a patch which fixes this issue.
Comment | File | Size | Author |
---|---|---|---|
7116-logintoboggan_eml_rehash.patch | 1.96 KB | scott.whittaker |
Comments
Comment #1
EternalLight CreditAttribution: EternalLight commentedJust been doing the same thing and was about to post the same patch :)
Good job!
Comment #2
peezy CreditAttribution: peezy commentedThe patch worked great... thanks!
Comment #3
hosais CreditAttribution: hosais commentedThank you for the patch!
I noticed that https://www.drupal.org/node/2455049 and this patch are the same code. Is that right the same code for both of 7.x-1.4 and 7.x-1.dev?
Comment #4
antiorario CreditAttribution: antiorario commentedSee #2455049: Various one-time-login and validation links don't work with Drupal 6.35+ and download the current 7.x-1.x-dev.