<p></p>
<p><b>@milan-cvetkovic</b> commented on this pull request.</p>

<hr>

<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1575094998">app/controllers/users_controller.rb</a>:</p>
<pre style='color:#555'>> @@ -101,14 +107,9 @@ def create
       if current_user.invalid?
         # Something is wrong with a new user, so rerender the form
         render :action => "new"
-      elsif current_user.auth_provider.present?
-        # Verify external authenticator before moving on
-        session[:new_user] = current_user.slice("email", "display_name", "pass_crypt", "pass_crypt_confirmation")
</pre>
<blockquote>
<blockquote>
<p dir="auto">They would still have to click on "Sign up"</p>
</blockquote>
<p dir="auto">Yes, but right after that the user is written to the db with arbitrary auth_provider. That happens before any further confirmation.</p>
</blockquote>
<p dir="auto">Correct. This is pretty much same as if user is created by regular "signup" screen, before they confirm the email address. The only difference is that there is arbitrary, not usable, value of <code class="notranslate">auth_provider</code>, and the user does not know the password assigned to them.</p>
<p dir="auto">I removed the extra round trip after <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/TomHuGES/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/TomHuGES">@TomHuGES</a> suggestion here: <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2064057773" data-permission-text="Title is private" data-url="https://github.com/openstreetmap/openstreetmap-website/issues/4455" data-hovercard-type="pull_request" data-hovercard-url="/openstreetmap/openstreetmap-website/pull/4455/hovercard?comment_id=1443987257&comment_type=review_comment" href="https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1443987257">#4455 (comment)</a>.</p>
<p dir="auto">Having a user with bogus value of <code class="notranslate">auth_provider</code> does not hurt OSM web site. While the user cannot use the bogus value that they manually entered, they can use the account by username/password after resetting the password. Since there is a manual action required to actually create the user record, there is no danger of bulk creation of user accounts this way, more than it is possible today.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1575094998">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLNGEKDLYMMD7WJK2LDY6U7PBAVCNFSM6AAAAABBLOL2OWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMJVGM2TSNJVGQ">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLOO4TR6ALLIDKD4IPLY6U7PBA5CNFSM6AAAAABBLOL2OWWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTTYD7ZEE.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4455/review/2015359554</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1575094998",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4455#discussion_r1575094998",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>