To be clear, what are we going to do when someone signs up with an email that has already been taken?
We currently indicate the email is already taken.
Primary email has already been taken
For when the “xxxtra email security” site setting is enabled, I like the hipchat approach otherwise, and I think it’s smart. Via email to the specified email address:
Title: Account already exists at {site}
You just tried to create an account at {site}. However, an account already exists for
name@example.com.
If you forgot your password, reset it now.
If you didn’t try to create an account for
name@example.com, don’t worry – you can safely ignore this message.If you have any questions, contact our friendly staff.
This is partially done, except the “account created” page doesn’t show these two buttons:
The absence of these buttons is a clue, so they should probably be faked too.
The setting is renamed to hide email address taken.
And while I’m at it, this form is also not covered by this setting:
Any ideas on those two places @michaeld?
I added support to the change email form in user preferences. It will respond as if it was successful, and send the email to the owner of the other account.
You just tried to create an account at Localhost Discourse, or tried to change the email of an account to doggy@woof.com. However, an account already exists for doggy@woof.com.
…
Closed in favour of Email enumeration vulnerability on "Password Reset" dialogue
