After upgrading to Bio 5.13, during registration, users email address' are no longer checked to see if they already exist in the user database - allowing users to create multiple accounts with a single email address. This is obviously not ideal.

Downgrading to Bio 5.12 fixes the problem.

Files: 
CommentFileSizeAuthor
#1 patch.txt1.81 KBericnielsen

Comments

Status:Active» Needs review
StatusFileSize
new1.81 KB

I fixed it. The module was adding a '#validate' handler to the form and this disabled the call to hook_user with $op = 'validate'.

See attached patch.

I've recently run into this problem as well. In addition to not validating email addresses it was not validating usernames either. If a user tried to create a new account with an existing username, for all appearances it was letting them do so. The "new" user would get a confirmation email with a new password, and Admin would get an email stating "*username* has requested an account" (even though we don't have admin approval required). The new password was not actually set though, so the existing user's login did not seem to be messed up, and the new login info (sent to a potentially different email address) did not work.

I could not get the above patch to apply to bio.module. Apologies, I can't recall now the exact wording of its failure message (something like "invalid patch"). I admit I don't think I've ever used patch before, so that problem could easily be entirely on my end. I ended up going through the patch and making the changes manually, which seemed to fix the problem. Drupal now correctly says "*username* is already taken" or "email address already registered" from account creation.

Now I've got another problem, presumably related to this. When a user tries to edit their Account Settings, Drupal is now attempting to validate their email address as if it were a new one. This returns the "email address already registered" error even when the user didn't change their email (for example, when trying to change displayed blocks, upload a new avatar, or anything else on their Settings page).

Edit
Nevermind, it seems this is not necessarily an error inside bio.module (with the above fix applied). The problem described in the last paragraph only apples when duplicate user accounts were created while the first problem existed. Because email addresses were not being verified before, there can now exist more than one user account with the same email. This causes the Edit check to see different uid with the same email. In my installation it appears to only affect my account, since I repeatedly used my own email while testing...