Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By jgwong on
I haven't tested this, perhaps I'm wrong since I'm still new to the Drupal code -- the other day I read the user registration function and I seem to remember it doesn't check if users can register or not without Admin approval. It just goes on and inserts the information received by $edit.
Would that be a possible flaw? I mean, a user might be able to POST with action="user/register" and get a user registered even if public user registration is disabled.
Comments
Why don't you just test it?
Give it a try. It should take you 2 minutes to write the html to test this possible vulnerability.
Yup...
And probably, it inserts VALIDATED=FALSE or something into the table so they can't login until approval, drupal wouldn't give bad coding like that, would they?