I'd classify this as a stable release blocker/security issue since it allows people to login that would otherwise get a validation error from the contrib validation handlers

function login_flow_form_user_login_alter(&$form, &$form_state) {
  //lets hijack the user login validation
  $form['#validate'] = array('login_flow_name_validate', 'login_flow_authenticate_validate', 'login_flow_final_validate');
}

Comments

hefox’s picture

Assigned: hefox » Unassigned
hefox’s picture

Status: Active » Fixed

Cleaned up

  • hefox committed 6807357 on 7.x-1.x
    Issue #2128377: Make login form overrides not be so powerful
    

  • hefox committed 882ff4c on 7.x-1.x
    Issue #2128377: update login_flow admin variables
    

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.