Hey,
first of all i am not sure if it is ok to offer both registration and login types "fboauth and normal drupal" at the same time. but I installed fboauth and i am testing it, the fb connect block is visible on all pages, I noticed this behaviour:

if i am in my browser or mobile webview and already logged in to fb ( normal fb) ,, and if i have an account with drupal and assigned my fb account to it, then i logout as normal and login with a different user with "normal" drupal login fields that still has no fb account assigned to the drupal account, the fb connect button is now waiting for connect, and didnt log my user from fb which is correct because it is another user. but if i click now on fb connect ,it will connect me to my fb account as normal, and then I logout directly ( remember i am logged in to fb in another tab). , then I click on the fb connect button, drupal will log me in with the latest user i tried to login to it, so it is overtaking it and i have to use normal login fields to login in to my previous"real" user account .. so am i doing it wrong ? and the fb connect button should be hidden after login ? i thought about allowing a user to connect to fb later after he/she is logged in.

Comments

aakkawi’s picture

Issue summary: View changes

added/ edited : on fb connect ,it will connect me to my fb account as normal, and then

aakkawi’s picture

Issue summary: View changes

small edit

aakkawi’s picture

Issue summary: View changes

added drupal login fields that still has no fb account assigned to the drupal account,

mike27’s picture

Issue summary: View changes

I have the same issue. FB oauth automatically deauthorises the "old" user and authorises the new one. It is not clear why there is no validation based on the user emails. More specifically, when a new user is created the fb_oauth retrieves the user email from facebook. In the case when someone wants to link his account with his fb profile the fb_oauth should deny authorization if the email addresses are different. Please help on this, it is also a security-related issue when one of the users is admin and the other is normal.

RobertCervenka’s picture

Reporting same issue. TL;DR:

  1. connect on FB one tab
  2. connect to D7 site with user not assigned to any FB account
  3. click the "connect to FB" button generated by FBOAuth
  4. "You've connected your account with Facebook." without any e-mail address check or popup question, if I'd really like to do such thing.

The issue might arise from button even showing onsite after login. Then it works like "connect my current drupal account without FB to my current FB session account". We found it out the other way: had two login screens opens: first login with normal D7 user, then switch to other screen and click "Login with FB", and voila: two different accounts (email, names, and so on) are suddenly connected.

Workaround is to disallow auto-connecting accounts, when fboauth_action_connect is called.

tennist’s picture

I was experiencing this same issue on my installation. If I associated or created an account with facebook, then logged out and logged into and non-associated account and clicked connect, this second account became connected and I could no longer get into the first account. The reason for this is that the module does not perform a check to see if there is already an associated drupal account for the facebook account in question. I was able to fix this with a few lines of code in the includes/fboauth.fboauth.inc file. The lines of code were added at near the end of the function fboauth_action_connect() just after is says:

//The user is already logged into Drupal..

The needed lines of code are as follows:

//Check to see if the fbid is already associated with a different drupal account
	$uid_exist = fboauth_uid_load($fbuser->id);
	if($uid_exist) {
		drupal_set_message(t("Your facebook account is already associated with another account on our site.  Please logout of this account and then click the 'Login with Facebook Button' to login with your existing account."), 'error');
	
	//The fbid is not associated with any other accounts
	} else {
		// So just associate the two accounts.
       fboauth_save($user->uid, $fbuser->id);
       drupal_set_message(t("You've connected your account with Facebook."));
	}