From 31b925164c1a998ac695fc815262001038a02e15 Mon Sep 17 00:00:00 2001 From: Clark Winkelmann Date: Sat, 6 Jan 2018 19:57:56 +1030 Subject: [PATCH] Always apply attributes from token when registering The change introduced in #1033 transformed any identification attribute returned from an OAuth provider to just a default value. When the identification attribute used by the provider is the email or username, this allowed the user to supply a different email or username and still getting an already-enabled account with the credentials he entered. Skipping attributes with an existing value makes no sense here because it's a always a fresh user and values from AbstractOAuth2Controller::getIdentification() should always be enforced. --- framework/core/src/Core/Command/RegisterUserHandler.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/framework/core/src/Core/Command/RegisterUserHandler.php b/framework/core/src/Core/Command/RegisterUserHandler.php index c7daf38fa..ab1d04505 100644 --- a/framework/core/src/Core/Command/RegisterUserHandler.php +++ b/framework/core/src/Core/Command/RegisterUserHandler.php @@ -116,9 +116,7 @@ class RegisterUserHandler // from the get-go. if (isset($token)) { foreach ($token->payload as $k => $v) { - if (in_array($user->$k, ['', null], true)) { - $user->$k = $v; - } + $user->$k = $v; } if (isset($token->payload['email'])) {