Drupal 7 has token functionality built in - I added a token for this module, which enabled me to add links to system e-mails (for example the user activation e-mail) using a syntax like "[site:url]l/[user:urllogin-token]" (note that the "l" after "[site:url]" is correct).

CommentFileSizeAuthor
token.patch994 bytesowen barton

Comments

andrewfn’s picture

andrewfn commented

This looks like a great addition and the patch applies cleanly, but I have a security concern:

  • It looks like this gives anyone with the permission to use tokens the ability to access the URL login strings, and hence the ability to access a large number of accounts on the system.
  • This is not a problem if it is controlled by a permission, but I don't see a simple way for such a permission to be set on a token.
  • I guess in theory hook_tokens() and hook_token_info() could find out if the current user had the required permission.
  • However, I am guessing that when mail is sent out, the current "user" is the system, not the user who created the email.

Do you see a solution to this?

jdleonard’s picture

jdleonard
he/him
Primary language English
Location Austin, Texas
commented
Issue summary: View changes

Perhaps this module could provide a setting that can be enabled to provide these tokens along with explaining the security concern (default to disabled).

wind_kind’s picture

wind_kind commented

How can I make this work with Rules? I applied the patch and I'm tying to get the URL in an email template in Rules but the token is not there. I'm not too concerned with the security implications as I am the admin.