Work around is of course to set the "Method for viewing passwords" to "Own page" instead of "Both" or "Collapsible box". But I would consider this an unexpected behaviour though, and we all sometimes do a login as admin with somebody in the back – maybe on a machine where JS is disabled and experiencing this behaviour the first time.

Would be a small change to make the fieldset invisible with a "display: none;" and finally reveal it by JS itself on page load.

Members fund testing for the Drupal project. Drupal Association Learn more


Leeteq’s picture

Version: 6.x-1.4 » 7.x-1.x-dev

I think that when Javascript is disabled, it should provide a dedicated link to load the password manually to its own "page".
With JS enabled, the link should collapse so the password is initially hidden behind the link, then revealed inline when clicking on the link.
(Setting it for 7.x first, which then may be backported.)

EvanDonovan’s picture

Category: feature » bug
Priority: Normal » Major

Personally, I think this might be considered a security issue. Not everyone uses JS.

It is mitigated to a certain extent by the fact that only the user will see it him/herself.

What's the best way to handle this, do you think?

iberezovchuk’s picture

Issue summary: View changes
Status: Active » Needs review
2.23 KB

There are ajax link for showing password on user page.

andriyun’s picture

Status: Needs review » Needs work
  1. +++ b/aes.module
    @@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
    +function aes_password_view($uid) {
    +  $output = '<div id="aes_password">';
    +  drupal_add_library('system', 'drupal.ajax');
    +  $link = l(t('Show pass'), 'aes_get_password_callback/' .$uid. '/nojs/', array('attributes' => array('class' => array('use-ajax'))));
    +  $output .= "$link</div>";
    +  return $output;

    I think code from this function should move to line 416.
    There is no need for new custom function.
    Please note to space after dots. And line length should be less than 80 characters

  2. +++ b/aes.module
    @@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {

    Please add documentation for function.

andriyun’s picture

+++ b/aes.module
@@ -403,11 +412,11 @@ function aes_user_view($account, $view_mode, $langcode) {
-      $password_form = drupal_get_form('aes_view_password_form', aes_get_password($account->uid, TRUE));

If aes_view_password_form is never used, should be remove function code from module

podarok’s picture

  1. +++ b/aes.module
    @@ -35,6 +35,15 @@ function aes_menu() {
    +    'title' => 'User password',

    User's pasword

  2. +++ b/aes.module
    @@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
    +function aes_password_view($uid) {

    Needs docblock

  3. +++ b/aes.module
    @@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
    +function aes_ajax_callback($uid, $type = 'ajax') {

    Needs docblock

iberezovchuk’s picture

Assigned: Unassigned » iberezovchuk
iberezovchuk’s picture

Status: Needs work » Needs review
3.14 KB

There is patch with fixed bugs.

podarok’s picture

Assigned: iberezovchuk » Unassigned
Status: Needs review » Reviewed & tested by the community

Code looks good for me.

  • dpovshed committed 58d085a on 7.x-1.x
    Issue #1114780: minor code clean-up.
  • dpovshed committed e32164c on 7.x-1.x authored by TaNLaN
    Issue #1114780 by TaNLaN: Password is unexpectedly visible on the 'My...
dpovshed’s picture

Status: Reviewed & tested by the community » Fixed

  • dpovshed committed 4f0f78f on 7.x-1.x
    Issue #1114780: default setting is to view password on a separate page;...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.