Bug #8879
open
Integrations can cause cleartext password to be lost when sending activation email
Description
A user store done during user user trigger can result in cleartext password being encrypted. This results in password being encrypted in the email as well. This is a problem when using randomly generated passwords as the user won't be able to receive their password.
So far this confirmed happens with CBSubs in the following scenario.
Randomly Generated Passwords: Yes
Admin Approval: No
Email Confirmation: No
In this case password would be sent in the Welcome email, but due to a user store in CBSubs becomes encrypted. Other integrations could easily cause this as well. It would be safer to pass the cleartext password to activateUser function directly and then onto email handling OR as a private variable like _password.
Updated by krileon about 2 years ago
Also worth considering improving this feature so the random password is single use. To do this we'd need to toggle on resetPassword at time of registration. This way on first login they'd have to provide a new password.
Updated by beat almost 2 years ago
- Target version changed from CB 2.7.3 to CB 2.7.4
Updated by krileon over 1 year ago
- Target version changed from CB 2.7.4 to CB 2.8