Users who register but admin approval is required are sent an email indicating their account is active instead
>>> [!note] Migrated issue
<!-- Drupal.org comment -->
<!-- Migrated from issue #3582274. -->
Reported by: [atropoides](https://www.drupal.org/user/3667734)
>>>
<h3>Problem/Motivation</h3>
<p>The <code>FormHooks::alterAccountCreationForm()</code> method hooks into <code>form_user_register_form_alter</code>, which fires on both the admin account creation form at <code>/admin/people/create</code> and the public self-registration form at <code>/user/register</code>.</p>
<p>The hook unconditionally sets the <code>notify</code> form element with a default value of <code>TRUE</code>. On the public registration form, this value is picked up by <code>RegisterForm::save()</code> in core, which then enters the <code>register_admin_created</code> mail path instead of the <code>register_pending_approval</code> path.</p>
<p>As a result, self-registering users receive the "An administrator created an account for you" email containing a one-time login link, instead of the "pending admin approval" email. The link doesn't work, because the account is actually blocked, but it is confusing and the correct email should be sent.</p>
<h3>Steps to reproduce</h3>
<ol>
<li>Enable <code>drupal_cms_helper</code></li>
<li>Set Registration and cancellation to "Visitors, but administrator approval is required"</li>
<li>Enable "Require email verification when a visitor creates an account"</li>
<li>Open <code>/user/register</code> in a private browser window</li>
<li>Register a new account</li>
<li>Check the email received</li>
</ol>
<p><strong>Expected:</strong> User receives the "pending admin approval" email without a login link.</p>
<p><strong>Actual:</strong> User receives the "An administrator created an account for you" email containing a one-time login link.</p>
<h3>Proposed resolution</h3>
<p>The entire hook body should be wrapped in a condition that checks whether the current user is authenticated, so the form alterations only apply in the admin context. Alternatively, the route name could be checked against <code>user.register</code> to skip the public registration form. Both approaches prevent the <code>notify</code> default from leaking into the self-registration flow.</p>
issue