Hi, when email_registration is enabled, the Drupal password reset page for one-time account activation links still shows the username rather than the email address, such as "This is a one-time login link for email_registration_fxb78KrJHe". This is a confusing experience for users as they never chose that username or are exposed to it elsewhere. It'd be nice if this page showed the email address instead.
I think this could be fixed by implementing hook_FORM_ID_alter
for the user_pass_reset
form with something like this:
function mymodule_form_user_pass_reset_alter(&$form, FormStateInterface $form_state, $form_id) {
/* @var \Drupal\Core\StringTranslation\TranslatableMarkup $message */
/* @var \Drupal\Core\Session\AccountInterface $user */
$user = $form_state->getBuildInfo()['args'][0];
$message = $form['message']['#markup'];
$arguments = $message->getArguments();
$arguments['%user_name'] = $user->getEmail();
$form['message']['#markup'] = new TranslatableMarkup($message->getUntranslatedString(), $arguments);
}
It would be nice if this could be in email_registration rather than having to include this in a custom module.
Thanks!
Issue fork email_registration-3065842
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
Indrapatil CreditAttribution: Indrapatil as a volunteer and commentedComment #3
xmacinfo@Indra patil, please be careful when working in issues. You must not assign yourself if you do not work on a fix.
Comment #4
gregglesThat seems like a great idea. Here's a patch version of the original issue by @JeremySkinner.
Comment #5
gregglesThis should be postponed until #2828724: Username enumeration via one time login route is fixed.
Comment #6
xmacinfoComment #7
Grevil CreditAttribution: Grevil at DROWL.de commentedDefinitly makes sense!
Comment #8
Anybody@Grevil: Could you check the status in 2.x tomorrow (shortly) perhaps and post it here? (without the submodule)
Comment #9
Grevil CreditAttribution: Grevil at DROWL.de commented@Anybody this shouldn't be a problem any more, since this username is only temporary. I'll check it.
Comment #10
Grevil CreditAttribution: Grevil at DROWL.de commentedIt still shows the username on password reset.
E.g., if we create a user with the email "admin@test.de", we'll get a reset mail along the line of:
(or admin_1, admin_2, ..., if "admin" was already taken).
I agree, that using the mail address of the user might be better.
(For everyone still having usernames prefixed with "email_registration_" or other usernames which should be overwritten, there is a new "Update username (from email_registration)" batch action to use.
Update: Whoops, of course the reset link page was meant, not the mail, which can be manually configured differently already.
Comment #11
Grevil CreditAttribution: Grevil at DROWL.de commentedComment #12
Grevil CreditAttribution: Grevil at DROWL.de commentedThank you, @JeremySkinner! Code snippet works and looks great! I just did some tiny adjustments to it! RTBC!
Comment #14
Grevil CreditAttribution: Grevil at DROWL.de commentedAdding a few security checks.
Comment #15
Grevil CreditAttribution: Grevil at DROWL.de commentedAlright, now there are enough changes to let somebody review this. Please review!
Comment #16
Anybody@Grevil I think the approach from #3396313: Move obfuscation logic of submodule into main module might be better. Until we have that in place I'll postpone this.
If that isn't enough we should keep the code here to add this later. Back to NR then, if that should be the case.
Comment #17
Anybody@Grevil: You wrote:
What's the displayed username?
In the issue summary it was "email_registration_fxb78KrJHe"
if it's now "admin" for example for admin@example.com I think this could be seen as works as expected in 2.x and we could close this.
If it shows sth. like "email_registration_fxb78KrJHe" we should merge the MR.
I'm a bit unsure if the fix could introduce security risks, so if we don't need it, we shouldn't do it, I think!
Also, long-term #3396313: Move obfuscation logic of submodule into main module might be the better and more general approach.
Comment #18
Grevil CreditAttribution: Grevil at DROWL.de commented@Anybody, the original prefixed username ("email_registration_") doesn't show up on the password reset any more. As discussed locally, the username will still show up in several places and having this exception ONLY on the password reset page, is kind of odd, as it doesn't change anywhere else.
For the use case to have the email-address shown instead of the username in every place, you can use the newly added submodule, which syncs your mail address with your username!
Original issue is fixed.