security updates

have to check views and entityreference for custom patches

sites/all/modules/contrib/users/logintoboggan/logintoboggan.module

@@ -447,8 +447,9 @@ function logintoboggan_user_register_submit($form, &$form_state) {
   $pre_auth = logintoboggan_validating_id() != DRUPAL_AUTHENTICATED_RID;
 
   // If we are allowing user selected passwords then skip the auto-generate function
-  // The new user's status will be 1 (visitors can create own accounts) if reg_pass_set == 1
-  // Immediate login, we are going to assign a pre-auth role, until email validation completed
+  // The new user's status should default to the site settings, unless reg_passwd_set == 1
+  // (immediate login, we are going to assign a pre-auth role), and we want to allow
+  // admin approval accounts access to the site.
   if ($reg_pass_set) {
     $pass = $form_state['values']['pass'];
     $status = 1;
@@ -504,7 +505,7 @@ function logintoboggan_user_register_submit($form, &$form_state) {
   //   3. Visitors can create their own accounts.
   $message = t('Further instructions have been sent to your e-mail address.');
   if($reg_pass_set && $pre_auth && variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) == USER_REGISTER_VISITORS) {
-    $message = t('A validation e-mail has been sent to your e-mail address. You will need to follow the instructions in that message in order to gain full access to the site.');
+    $message = t('A validation e-mail has been sent to your e-mail address. In order to gain full access to the site, you will need to follow the instructions in that message.');
   }
 
   if (variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) == USER_REGISTER_VISITORS) {
@@ -559,12 +560,6 @@ function logintoboggan_user_login_validate($form, &$form_state) {
  * @ingroup logintoboggan_form
  */
 function logintoboggan_user_register_validate($form, &$form_state) {
-  //Check to see whether our username matches any email address currently in the system.
-  if($mail = db_query("SELECT mail FROM {users} WHERE LOWER(:name) = LOWER(mail)", array(
-  ':name' => $form_state['values']['name'],
-  ))->fetchField()) {
-    form_set_error('name', t('This e-mail has already been taken by another user.'));
-  }
   //Check to see whether our e-mail address matches the confirm address if enabled.
   if (variable_get('logintoboggan_confirm_email_at_registration', 0) && isset($form_state['values']['conf_mail'])) {
     if ($form_state['values']['mail'] != $form_state['values']['conf_mail']) {
@@ -624,11 +619,11 @@ function logintoboggan_user_edit_validate($form, &$form_state) {
  *
  * @ingroup logintoboggan_core
  *
- * This is the best current place to dynamically remove the authenticated role
- * from the user object on initial page load.  hook_init() is too late, as menu
- * access checks have already been performed.
+ * This is currently the best place to dynamically remove the authenticated role
+ * from the user object, hook_boot() allows us to act on the user object before
+ * any access checks are performed.
  */
-function logintoboggan_menu_get_item_alter() {
+function logintoboggan_boot() {
   global $user;
 
   // Make sure any user with pre-auth role doesn't have authenticated user role
@@ -749,6 +744,12 @@ function logintoboggan_revalidate_access($account) {
  *   Which form to display, should be 'login' or 'register'.
  */
 function logintoboggan_unified_login_page($active_form = 'login') {
+  // Sanitise the $active_form text as it comes direct from the url.
+  // It should only ever be 'login' or 'register', so default to 'login'.
+  if ($active_form != 'login' && $active_form != 'register') {
+    $active_form = 'login';
+  }
+
   global $user;
   if ($user->uid) {
     menu_set_active_item('user/' . $user->uid);