Summary

The 'Create a Drupal user' action in the CiviCRM entity module has code that generates and sets a password for the user.

The code is not currently in use, as the password is set on the user object after it has already been saved.

The code should not be used because it sets an insecure password (8 random alphabetic characters). In addition the password is no longer emailed out in Drupal 7. This would also be a security issue. One-time login links that allow users to set their own password are used instead.

Proposed resolution

There is a pull request here: https://github.com/eileenmcnaughton/civicrm_entity/pull/39

It removes the un-used password setting functionality and uses the Drupal user module to send the notification email, rather than custom code.

Comments

markusa’s picture

Assigned: Unassigned » markusa
Status: Active » Needs review

Accepted merge request on github repo

JKingsworth is right.

expect new -dev tomorrow

needs community review

markusa’s picture

Status: Needs review » Fixed

no feedback, and no error reports. Closing task

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

JKingsnorth’s picture

Thanks for the merge.