The module uses email as a primary key in the authmap table for the users. This is generally a bad idea because the user can change their login in the Netforum site, then on the next Drupal login they will have a new account created.

This probably doesn't apply to SSO, but for direct logins (logins inside of Drupal, without cookies) it duplicates the account if the email is changed externally.

I have some small changes to load users on the cst_id instead of the name/email, but wanted to check if this was addressed elsewhere first.

CommentFileSizeAuthor
#2 1475650-key-off-cst-id.patch1.54 KBdjdevin

Comments

james.michael-hill’s picture

I don't think it's addressed anywhere else, when you have a patch ready please submit it.

djdevin’s picture

Status: Active » Needs review
StatusFileSize
new1.54 KB

Patch attached. Solution is to not use user_external_login_register() if the account already exists, because it will only attempt to load the user by the username (the email, which may have changed), and otherwise create a duplicate user. If the account exists we load the user by the cst_id, then update the user's name/mail and finalize the login.

james.michael-hill’s picture

I've applied a version of this patch - there is a lot that happens on user save and I'd like to avoid starting that process unless there is an actual change. With that idea I've moved it around a bit in a bid to only save if the email has changed, and to only go through this process for netFORUM Team customers. At this point in the login cycle for Enterprise customers I don't think there is a full customer object to inspect. When you see the newest dev build please take a look and let me know if it works as expected.

djdevin’s picture

Assigned: Unassigned » djdevin

Sounds like a good idea, I will run it through some testing - thanks!

djdevin’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.