Project

General

Profile

Actions

Bug #8879

open

Integrations can cause cleartext password to be lost when sending activation email

Added by krileon about 2 years ago. Updated 6 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Start date:
04 March 2022
Due date:
% Done:

0%

Estimated time:

Description

A user store done during user user trigger can result in cleartext password being encrypted. This results in password being encrypted in the email as well. This is a problem when using randomly generated passwords as the user won't be able to receive their password.

So far this confirmed happens with CBSubs in the following scenario.

Randomly Generated Passwords: Yes
Admin Approval: No
Email Confirmation: No

In this case password would be sent in the Welcome email, but due to a user store in CBSubs becomes encrypted. Other integrations could easily cause this as well. It would be safer to pass the cleartext password to activateUser function directly and then onto email handling OR as a private variable like _password.

Actions #1

Updated by krileon about 2 years ago

Also worth considering improving this feature so the random password is single use. To do this we'd need to toggle on resetPassword at time of registration. This way on first login they'd have to provide a new password.

Actions #2

Updated by beat almost 2 years ago

  • Target version changed from CB 2.7.3 to CB 2.7.4
Actions #3

Updated by krileon over 1 year ago

  • Target version changed from CB 2.7.4 to CB 2.8
Actions #4

Updated by beat about 1 year ago

  • Target version changed from CB 2.8 to CB 2.8.1
Actions #5

Updated by beat 8 months ago

  • Target version changed from CB 2.8.1 to CB 2.8.2
Actions #6

Updated by beat 7 months ago

  • Target version changed from CB 2.8.2 to CB 2.9.0
Actions #7

Updated by beat 6 months ago

  • Target version changed from CB 2.9.0 to CB 2.9.2
Actions

Also available in: Atom PDF