Forums / Developer / registrationinfo.tpl password

registrationinfo.tpl password

Author Message

Jean-Luc Nguyen

Tuesday 31 May 2011 8:55:45 am

Hello,

When using user/register module, eZ sends an email to confirm login/email to new user, using registrationinfo.tpl. Searching on PHP side, eZ does not display the user password.

Most websites do that to confirm once the login/email/password. I might be wrong, but is it a willing behaviour?

Thanks,

http://www.acidre.com

Brandon Chambers

Tuesday 31 May 2011 1:27:31 pm

Can you explain a little more clear what you're trying to accomplish?

You want to display the actual password a user typed within the registration email or in the actual registration confirmation page?

It sounds like you might have looked into the default user/register module already. However, make sure to see if the password is available in plain text to the template (which I doubt) in the default user/register module. If so, then it's just a matter of finding the right variable available to the template. Otherwise, you need to code a separate module/view (or hack the kernel which I do not recommend).

 

Good luck, hope this helps.

Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com

Jean-Luc Nguyen

Tuesday 31 May 2011 2:52:30 pm

Hi,

I just want to display the password in the email sent to the user after using default user/register module. After searching in the PHP code, I found that there is no $password variable set to the template.

I just need confirmation that the password is not displayed in the last versions of eZ.

Thanks,

http://www.acidre.com

Marko Žmak

Tuesday 31 May 2011 5:09:19 pm

In the template for the sent email (User/registrationinfo.tpl) you have two variables defined, $object and $user. The first is the ezcontentobject belonging to the registered user, and the second is the ezuser of the registered user.

I think they can both be used to display the password.

--
Nothing is impossible. Not if you can imagine it!

Hubert Farnsworth

Jean-Luc Nguyen

Wednesday 01 June 2011 1:24:43 am

Hi,

I guess the default registrationinfo.tpl needs to be updated, the $user variable does not contain any password, except password_hash, which is standard.

Thanks for your answer.

http://www.acidre.com

Marko Žmak

Wednesday 01 June 2011 1:36:06 am

"

Hi,

I guess the default registrationinfo.tpl needs to be updated, the $user variable does not contain any password, except password_hash, which is standard.

"

Does the $object variable maybe contain the password?

--
Nothing is impossible. Not if you can imagine it!

Hubert Farnsworth

Jean-Luc Nguyen

Wednesday 01 June 2011 1:48:21 am

"
"

Hi,

I guess the default registrationinfo.tpl needs to be updated, the $user variable does not contain any password, except password_hash, which is standard.

"

Does the $object variable maybe contain the password?

"

Nop, the password cannot be shown, as it is encrypted in the DB.

http://www.acidre.com

Brandon Chambers

Wednesday 01 June 2011 9:42:32 am

Then you might consider taking the default registration module and hack it. More specifically I mean create a new extension for the new module with proper templates and some PHP code to intercept the password in plain text and as a hash for the DB transaction.

 

Hope this helps.

Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com

Peter Keung

Wednesday 01 June 2011 10:42:39 am

If this template is fired from user/register, then you might also have the password available in a POST variable.

http://www.mugo.ca
Mugo Web, eZ Partner in Vancouver, Canada

Jean-Luc Nguyen

Wednesday 01 June 2011 1:15:56 pm

Hi,

Thanks for your answers. Actually, I know how to hack code to get the password or create a custom module based on user/register, but I was thinking that it was strange that default eZ behaviour would not send password at the registration step, using user/register.

Thanks again.

http://www.acidre.com

Brandon Chambers

Wednesday 01 June 2011 1:34:38 pm

True that it might be considered strange, but also consider it to be a built-in security feature that the password is not available in a transition type of action on the server (form submit to email notification). One less point if exploitation is better than storing the plain-text password in several locations where it could be exploited (sever memory, database, within the script itself and possible vulnerable to XSS not likely..but still possible).

I could be wrong but give it a shot and good luck. :)

Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com

Marko Žmak

Wednesday 01 June 2011 5:08:27 pm

Actually, now that I thing about it... the $password variable is defined in user/registrationinfo.tpl template and it contains the user's password.

I remember using it many times and I just tested it on a 4.4 installation.

Also, this variable is used in design/standard/templates/user/registrationinfo.tpl.

--
Nothing is impossible. Not if you can imagine it!

Hubert Farnsworth

Brandon Chambers

Friday 03 June 2011 2:52:46 pm

Nice...I'll have to remember this.

Brandon Chambers
[email protected]
blog: http://blog.divdesigns.com
Granite Horizon / http://granitehorizon.com