Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 3.0.2
-
Fix Version/s: Unscheduled
-
Component/s: Core CiviCRM
-
Labels:None
Description
Drupal account creation by an anonymous user can cause existing contact information to be lost. This could be used in a malicious manner.
1. Create a contact record including name, email address and (street) address.
2. Logout.
3. Via the Drupal login form, select "Create new account".
4. Enter name and email address, but not (street) address.
The (street) address is immediately gone from the contact record. Absence of data in the account creation for shouldn't override existing contact information causing it to be deleted. If someone knows the name and email address of one of my contacts, and that contact doesn't have an account, then they can cause me to lose contact information simply by creating an account!
I seem to remember that in a previous version of CiviCRM creating an account would create a new contact record and the 2 records would have to be merged. I think this is a better approach.