Author
|
Message
|
Jean-Luc Nguyen
|
Tuesday 31 May 2011 8:55:45 am
Hello, When using user/register module, eZ sends an email to confirm login/email to new user, using registrationinfo.tpl. Searching on PHP side, eZ does not display the user password. Most websites do that to confirm once the login/email/password. I might be wrong, but is it a willing behaviour? Thanks,
http://www.acidre.com
|
Brandon Chambers
|
Tuesday 31 May 2011 1:27:31 pm
Can you explain a little more clear what you're trying to accomplish? You want to display the actual password a user typed within the registration email or in the actual registration confirmation page? It sounds like you might have looked into the default user/register module already. However, make sure to see if the password is available in plain text to the template (which I doubt) in the default user/register module. If so, then it's just a matter of finding the right variable available to the template. Otherwise, you need to code a separate module/view (or hack the kernel which I do not recommend). Good luck, hope this helps.
Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com
|
Jean-Luc Nguyen
|
Tuesday 31 May 2011 2:52:30 pm
Hi, I just want to display the password in the email sent to the user after using default user/register module. After searching in the PHP code, I found that there is no $password variable set to the template. I just need confirmation that the password is not displayed in the last versions of eZ. Thanks,
http://www.acidre.com
|
Marko Žmak
|
Tuesday 31 May 2011 5:09:19 pm
In the template for the sent email (User/registrationinfo.tpl) you have two variables defined, $object and $user. The first is the ezcontentobject belonging to the registered user, and the second is the ezuser of the registered user. I think they can both be used to display the password.
--
Nothing is impossible. Not if you can imagine it!
Hubert Farnsworth
|
Jean-Luc Nguyen
|
Wednesday 01 June 2011 1:24:43 am
Hi, I guess the default registrationinfo.tpl needs to be updated, the $user variable does not contain any password, except password_hash, which is standard. Thanks for your answer.
http://www.acidre.com
|
Marko Žmak
|
Wednesday 01 June 2011 1:36:06 am
"
Hi, I guess the default registrationinfo.tpl needs to be updated, the $user variable does not contain any password, except password_hash, which is standard.
"
Does the $object variable maybe contain the password?
--
Nothing is impossible. Not if you can imagine it!
Hubert Farnsworth
|
Jean-Luc Nguyen
|
Wednesday 01 June 2011 1:48:21 am
"
"
Hi, I guess the default registrationinfo.tpl needs to be updated, the $user variable does not contain any password, except password_hash, which is standard.
"
Does the $object variable maybe contain the password?
"
Nop, the password cannot be shown, as it is encrypted in the DB.
http://www.acidre.com
|
Brandon Chambers
|
Wednesday 01 June 2011 9:42:32 am
Then you might consider taking the default registration module and hack it. More specifically I mean create a new extension for the new module with proper templates and some PHP code to intercept the password in plain text and as a hash for the DB transaction. Hope this helps.
Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com
|
Peter Keung
|
Wednesday 01 June 2011 10:42:39 am
If this template is fired from user/register, then you might also have the password available in a POST variable.
http://www.mugo.ca
Mugo Web, eZ Partner in Vancouver, Canada
|
Jean-Luc Nguyen
|
Wednesday 01 June 2011 1:15:56 pm
Hi, Thanks for your answers. Actually, I know how to hack code to get the password or create a custom module based on user/register, but I was thinking that it was strange that default eZ behaviour would not send password at the registration step, using user/register. Thanks again.
http://www.acidre.com
|
Brandon Chambers
|
Wednesday 01 June 2011 1:34:38 pm
True that it might be considered strange, but also consider it to be a built-in security feature that the password is not available in a transition type of action on the server (form submit to email notification). One less point if exploitation is better than storing the plain-text password in several locations where it could be exploited (sever memory, database, within the script itself and possible vulnerable to XSS not likely..but still possible). I could be wrong but give it a shot and good luck. :)
Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com
|
Marko Žmak
|
Wednesday 01 June 2011 5:08:27 pm
Actually, now that I thing about it... the $password variable is defined in user/registrationinfo.tpl template and it contains the user's password. I remember using it many times and I just tested it on a 4.4 installation. Also, this variable is used in design/standard/templates/user/registrationinfo.tpl.
--
Nothing is impossible. Not if you can imagine it!
Hubert Farnsworth
|
Brandon Chambers
|
Friday 03 June 2011 2:52:46 pm
Nice...I'll have to remember this.
Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com
|