Add option to validate email address

Yes, this is a good point. The current "collision handling" logic is centered around usernames because conflicts there are the most dangerous (they can trigger fatal errors and a host of other problems within user_external_login_register()). If there is an email collision without a username collision I think user_external_login_register() still runs without error, but there are then of course 2 users with the same email address in the DB. I suppose the consequences of that could vary depending on the setup, but at a minimum I think there would be irreversible validation errors on the profile edit form for the effected users.

The patch makes sense I think, and if this new config option was active I think each existing collision handling method (both abort and merge) would still work fine as-is (#2747977: Don't assume that username is the same as authname is a big help here). I see however that you have the new behavior contingent on both the new crowd_validate_email option being enabled and crowd_allow_email_logins being active:

+  if (!$user_local && variable_get('crowd_allow_email_logins', FALSE) && variable_get('crowd_validate_email', FALSE)) {

I wonder if this should be tied to the crowd_allow_email_logins setting at all? I suppose this new check would be valid independent of that email login feature. It sounds like you have specific experience with the issue in the context of the email login feature, so you might have some additional insights here.

Thinking even more, I wonder if a new config option is even needed at all. Perhaps the default collision detection checking should unconditionally check for email collisions as well. Though I'm not sure if there are valid use cases where we would want to allow duplicate emails in the Drupal DB.

Yeah, I think having the config option is not a bad idea. Thinking more I might actually have a project with a use case for disabling the option (a complex multi-integration setup including Salesforce). I'd like to try this patch against that setup.

I still can't see any use cases where this would be an issue, though as per #3 I do think we'll benefit from some small adjustments. Here's a variation that removes the crowd_allow_email_logins conditional and tweaks some of the settings page text for the new conf option.

Note that I also moved away from the term "validate" as I thought it might imply that there is more going on that just testing for an email "collision".

There haven't been any comments in a while so I'd like to more forward with #6.

I need update the Crowd Batch & Auto Pull codebase to also use this adjusted logic.

Ok, committed. The matched commit for Crowd Batch & Auto Pull can be viewed here.