Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Link to user homepage contain a password.
Like: http://example.com/uzsbgcwfby
This line (50) in email_registration.module:
$form['name']['#value'] = user_password();
making HTML object:
<input id="edit-name" type="hidden" value="dW5dRTJmv3" name="name"/>
with contain password.
Normally this value should be empty.
After that this value is passed into user.module which executing this query:
INSERT INTO users (name, mail, pass, status, timezone, init, created, access) VALUES ('UzSbGcWFBY', ...,
Comment | File | Size | Author |
---|---|---|---|
#6 | email_registration.install.patch | 450 bytes | kenorb |
#3 | email_registration.module.patch | 688 bytes | kenorb |
#4 | email_registration.module.patch | 564 bytes | kenorb |
Comments
Comment #1
kenorb CreditAttribution: kenorb commentedOk, I found that username is replaced in email_registration_user(). But still don't understand why this alias in my case still contain the password.Watchdog record:
Using: logintoboggan, genpass, pathauto
Issue is related to this one:
#254422: Using old data for tokens
Comment #2
kenorb CreditAttribution: kenorb commentedMaybe because I'm using pathauto, which have default alias for users: [user-raw] and its weight is before email_registration?No.
Comment #3
kenorb CreditAttribution: kenorb commentedIt's because email_registration updated the name directly into database without updating current object which can be use by other modules and it's inconsistent.
Apart of patch, you should change weight of the email_registration to 0 (before autopath which has 1).
#316737: pathauto_user token data is inconsistent
Or just delete .install file (where there is nothing) and reinstall the module.
1st should be module which replacing the username, 2nd should be token, and 3rd one should be pathauto.
Comment #4
kenorb CreditAttribution: kenorb commentedRe-uploaded cleaner version of patch.
Comment #5
kenorb CreditAttribution: kenorb commentedMarked: #321473: Module weight & other modules that interact with 'insert' in hook_user as duplicate.
Comment #6
kenorb CreditAttribution: kenorb commentedThis is the patch for weight, it require update (see #3).
You don't need to use this patch for .install file if you will delete your .install file and reinstall the module.
This patch should be combined with #4.
I don't see any reason that email_registration weight should be 10, instead of 0.
Comment #7
asak CreditAttribution: asak commentedI can confirm that using patches in comments #4 and #6 work.
I'm using this in combination with AAR, subdomain, pathauto and content_profile on D6.9 - and all is well.
Great work. thank you!
Comment #8
joostvdl CreditAttribution: joostvdl commentedIs this going in the DEV branch?
Comment #9
Christopher Herberte CreditAttribution: Christopher Herberte commentedCommitted to 6.x.1.x-dev
Please test, especially the weight change. IIRC this was added back in 5.x to fix this same issue?
I'm not closing this issue just yet.
Comment #10
s.Daniel CreditAttribution: s.Daniel commentedWith the latest dev I can still see a report like this in the watchdog
"New user: 2wcbWdmbSu (sth@sth.net)."
2wcbWdmbSu ist not the password - what is it?
Anyhow the dev works besides that.
Comment #11
Christopher Herberte CreditAttribution: Christopher Herberte commentedUsername cannot be empty, the crud is just a placeholder until we obtain the email address. Closing.
Comment #13
mendelson CreditAttribution: mendelson commentedWith the weight 0 the changes at the forms email_registration_form_alter
for the names not working. Or not effective because the other modules (logintobogan) set it later.