If I go to a site of yours running Logintoboggan, and register a user with your email address as my username, I have effectively blocked you from logging in by email. As far as I can tell Drupal will attempt to authorize you against my user instead of yours (ofcourse failing, since our passwords don't match).

I think this might be fixed by having logintoboggan_user_login_validate() validate both mail and password before injecting the username into the form.

Comments

stevecowie’s picture

stevecowie commented
Issue summary: View changes
Status: Active » Closed (outdated)

Version no longer supported