Cart email submit allows users to create a front-end account with no permissions

[mjniland1]

What happened?

Steps to reproduce

On the front end:

1. Enter your email at checkout and hit continue (/shop/checkout/email)
2. Request a password reset on that email. This request will fail. (/shop/customer/forgot-password)
3. Run the password reset again on the same email. This request will succeed. (/shop/customer/forgot-password)
4. Click the password reset link that you've received via email and set a password.
5. Login to your account with that email / pw combo (/shop/customer/sign-in)
6. Default User Group permission wont be applied to the new account (cp>settings>users>settings>Default User Group)

Expected behavior

The process should stop at #2.

Actual behavior

A user can create a front-end user account without permissions or a username.

Craft CMS version

Craft Pro 4.2.5.2

Craft Commerce version

4.1.2

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

[nfourtythree]

Hi @mjniland1

Thank you for raising the issue.

This was actually an issue in Craft's core. We have created a fix for the problem, the fix will be included in the next release of Craft.

Thanks!