When using the latest version of ConfirmAccount and activating it via wfLoadExtension( 'ConfirmAccount' ) the createaccount permission for * is not revoked by default, allowing spammers to use the CreateAccount page.
Description
Description
Event Timeline
Comment Actions
CC @Legoktm
Seems to be an issue related to merging/overriding of config... This time with GroupPermissions
I guess this isn't a common case we see in extensions; them changing the default config of MW core extensions...