Contrib.social

[2.x] Password reset page shows username rather than email when email_registration is enabled

Open on Drupal.org →
Created on 4 July 2019, almost 5 years ago
Updated 25 October 2023, 8 months ago

Hi, when email_registration is enabled, the Drupal password reset page for one-time account activation links still shows the username rather than the email address, such as "This is a one-time login link for email_registration_fxb78KrJHe". This is a confusing experience for users as they never chose that username or are exposed to it elsewhere. It'd be nice if this page showed the email address instead.

I think this could be fixed by implementing hook_FORM_ID_alter for the user_pass_reset form with something like this:

function mymodule_form_user_pass_reset_alter(&$form, FormStateInterface $form_state, $form_id) {
  /* @var \Drupal\Core\StringTranslation\TranslatableMarkup $message */
  /* @var \Drupal\Core\Session\AccountInterface $user */
  $user = $form_state->getBuildInfo()['args'][0];
  $message = $form['message']['#markup'];
  $arguments = $message->getArguments();
  $arguments['%user_name'] = $user->getEmail();
  $form['message']['#markup'] = new TranslatableMarkup($message->getUntranslatedString(), $arguments);
}

It would be nice if this could be in email_registration rather than having to include this in a custom module.

Thanks!

🐛 Bug report
Status

Fixed

Version

2.0

Component

Code

Created by

🇬🇧United Kingdom JeremySkinner

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 9 months ago
    🇩🇪Germany Grevil

    Definitly makes sense!

  • Comment 8 months ago
    🇩🇪Germany Anybody Porta Westfalica

    @Grevil: Could you check the status in 2.x tomorrow (shortly) perhaps and post it here? (without the submodule)

  • Comment 8 months ago
    🇩🇪Germany Grevil

    @Anybody this shouldn't be a problem any more, since this username is only temporary. I'll check it.

  • Comment 8 months ago
    🇩🇪Germany Grevil

    Well, it still shows the username on password reset, but I guess this is fine?
    E.g., if we create a user with the email "admin@test.de", we'll get a reset mail along the line of:

    admin,

    A request to reset the password for your account has been made at Drush
    Site-Install.

    (or admin_1, admin_2, ..., if "admin" was already taken).

    I agree, that using the mail address of the user might be better.

    (For everyone still having usernames prefixed with "email_registration_" or other usernames which should be overwritten, there is a new "Update username (from email_registration)" batch action to use.

  • Assigned to Grevil
  • Comment 8 months ago
    🇩🇪Germany Grevil
  • Issue was unassigned.
  • Status changed to RTBC 8 months ago
  • Comment 8 months ago
    🇩🇪Germany Grevil

    Thank you, @JeremySkinner! Code snippet works and looks great! I just did some tiny adjustments to it! RTBC!

  • @grevil opened merge request.
  • Status changed to Needs work 8 months ago
  • Comment 8 months ago
    🇩🇪Germany Grevil

    Adding a few security checks.

  • Assigned to Anybody
  • Status changed to Needs review 8 months ago
  • Comment 8 months ago
    🇩🇪Germany Grevil

    Alright, now there are enough changes to let somebody review this. Please review!

  • Issue was unassigned.
  • Status changed to Postponed 8 months ago
  • Comment 8 months ago
    🇩🇪Germany Anybody Porta Westfalica

    @Grevil I think the approach from Move obfuscation logic of submodule into main module Active might be better. Until we have that in place I'll postpone this.
    If that isn't enough we should keep the code here to add this later. Back to NR then, if that should be the case.

  • Comment 8 months ago
    🇩🇪Germany Anybody Porta Westfalica

    @Grevil: You wrote:

    It still shows the username on password reset.

    What's the displayed username?

    In the issue summary it was "email_registration_fxb78KrJHe"

    if it's now "admin" for example for admin@example.com I think this could be seen as works as expected in 2.x and we could close this.
    If it shows sth. like "email_registration_fxb78KrJHe" we should merge the MR.

    I'm a bit unsure if the fix could introduce security risks, so if we don't need it, we shouldn't do it, I think!
    Also, long-term Move obfuscation logic of submodule into main module Active might be the better and more general approach.

  • Status changed to Fixed 8 months ago
  • Comment 8 months ago
    🇩🇪Germany Grevil

    @Anybody, the original prefixed username ("email_registration_") doesn't show up on the password reset any more. As discussed locally, the username will still show up in several places and having this exception ONLY on the password reset page, is kind of odd, as it doesn't change anywhere else.

    For the use case to have the email-address shown instead of the username in every place, you can use the newly added submodule, which syncs your mail address with your username!

    Original issue is fixed.

  • Comment 8 months ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024