Core Registration Bug with mismatched passwords!

I believe I found a core bug with elgg registration...

if the user trying to register provides mismatched passwords, they receive an error message however, they become an active user without any notification, leaving their email address and username useless for further registration!

serious problem? Definitely. Can anyone address this?

  • I've tested this on the elgg community register and received the same results.

  • Oi! Dhrup, any ideas?

    Is the best thing to do: make password only 1 field and eliminate $password2 ??

  • register_user is done before the strcmp($password, $password2) == 0 checking on the passwords and so the user gets registered anyway ;-( the elgg team needs to switch that code around - the validation should be done before the register call.

  • right.

    where can i make these changes, inthe useradd.php file? do i just need to switch around the $guid = $guid = register_user($username, $password, $name, $email, TRUE); and the strcmp($password, $password2) == 0 lines ??

    This is what i'm looking at in the useradd.php file:

    // For now, just try and register the user
    try {
        $guid = register_user($username, $password, $name, $email, TRUE);

        if (((trim($password) != "") && (strcmp($password, $password2)==0)) && ($guid)) {
            $new_user = get_entity($guid);
            if (($guid) && ($admin)) {
                $new_user->makeAdmin();
            }

  • How could they mess something like that up? That's embarrassing.

  • guess i'm in a good mood today ;-)

    actions/register.php ==>

    Bad Code -->
    // For now, just try and register the user
        try
        {
            $guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
            if (((trim($password) != "") && (strcmp($password, $password2) == 0)) && ($guid))
            {
                $new_user = get_entity($guid);
                if (($guid) && ($admin)) {

    Good Code -->
    // For now, just try and register the user
        try
        {
            if (((trim($password) != "") && (strcmp($password, $password2) == 0)) && ($guid))
            {
                $guid = register_user($username, $password, $name, $email, false, $friend_guid, $invitecode);
                $new_user = get_entity($guid);
                if (($guid) && ($admin)) {

  • plz test and report back lolz ;-P