The registration module may send registration mails to allready registered members

[davidmaack]

Since the registration module and the forget-password moduele are using the same db-field to store their tokens, it is possible to trigger the activation mail on activated members.

Assuming the following situtation:
An activated member is using the reset-password form, so an email with a reset-link will be generated and the token will be stored in the database. If the link will not be triggerd (e.g. a spamfilter deleted the mail) the token remains in the database. If at this point someone tried to register with the email adress of this user, the registration module will resend the activation mail instead of triggering the "e-mail allready registered" error.

Even worse, the module just sends the activation mail without triggering any hook or event, so the notification center mails for the registration process will not be used. (that would be a different issue, isn't it?)

It would be better, when the two modules (registration and reset-pw) are using different db-fields or prefixing their tokens to prevent sending activation mails to allready activated users.

[leofeyer]

Fixed in 03e612d.

[aschempp]

🤔 that means existing activation links won't work anymore after an update? Why not just query for disable='1' in MemberModel::findUnactivatedByEmail?

[leofeyer]

Because activation tokens should be separate from password reset tokens as @davidmaack explained above. Right now you can probably set a new password with your activation token before you have actually activated your account.

existing activation links won't work anymore after an update?

Both tokens are short-lived, therefore I don't think this will be a big problem.