Is there any other way to update the password so admins can see it? I am using ubercart to create a user. When a user purchases a product they create an account and then my team physically creates something with their information. Right now we have to make every user login manually after a purchase so we can see their password with aes. I have tried the automatically log in user after purchase but it doesnt update the aes password.

thank you for your help i really appreciate it!

Comments

greggles’s picture

Title:Any other way to update?» Don't use $_POST to check for changing variables
Category:support» bug

I believe the problem is that aes_user_alter is using $_POST instead of getting the data from $edit.

15handsmedia’s picture

Im not that smart. What does this mean? Sorry for my ignorance.

greggles’s picture

$_POST is a variable that the webserver gives to PHP so PHP can respond to forms that are POSTed. In Drupal's hooks it is considered a bad practice to do that because it means that code will break when there is other code that uses the API to create a user (e.g. from Ubercart or Migrate).

15handsmedia’s picture

So is this fixable? I appreciate your help. Thank you.

greggles’s picture

Yes, totally fixable. It will require some effort by the AES maintainers to figure out where those same variables are stored in the arguments to the hook functions instead of relying on the $_POST.

andypost’s picture

Issue summary:View changes

There's a comment about why module uses POST directly - password already hashed so only POST contains user data

dpovshed’s picture

Status:Active» Closed (won't fix)

Thanks @andypost for your information!

Let us do the following (and correct me if I am wrong here).
1. this particular ticket going to be closed since it works as designed;
2. in case there is a need to mass update all users passwords and store them in the format accessible by AES, I think separate ticket should be created; this definitely should be doable with separate dedicated form; alternatively we may force some/all users to change password by adding a new option like 'reset password' to selector on page 'admin/people'.
3. in case there is a need for per-user password update probably we may introduce a new field on some system form and store unencrypted password here, but this is not a nice from security point of view, so we better don't do this.

andypost’s picture

OTOH you will need user_load() in submit handler