Maybe this is fixed in CVS, but if you use Custom Registration users can bypass the custom fields by clicking the Forgot Password link, entering a bogus name, and then registering with the simple Username and Email form that displays afterward.
The problem is with the function defaultform. It needs a small change. The function below works for me.
Text Formatted Code
/**
* Account does not exist - show both the login and register forms
*
* @param string $msg message to display if one is needed
* @return string HTML for form
*
*/
function defaultform ($msg)
{
global $_CONF,$LANG04;
$retval = '';
if (!empty ($msg)) {
$retval .= COM_startBlock ($LANG04[21], '',
COM_getBlockTemplate ('_msg_block', 'header'))
. $msg
. COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
}
$retval .= loginform (true);
if ($_CONF['custom_registration'] && function_exists ('CUSTOM_userForm')) {
$retval .= CUSTOM_userForm ();
} else {
$retval .= newuserform ();
}
$retval .= getpasswordform ();
return $retval;
}