[user:one-time-login-url] is not available on config page, so new user cannot log in

I'm changing the project name of this issue because it really affects Variable Email (since Commerce Email is using Variable Email to send the emails).

I had this issue and if you look in the file variable_email.rules.inc, you will find some code commented out which allows you to have the user:one-time-login-url token available. This code is commented out, however, because it introduces security issues which are discussed further here: http://drupal.org/node/1289898. As long as this issue is not fixed, I won't be able to have this code in variable_email. However, you can, if you understand the security risks, uncomment this line of code I'm talking about...

Here is a patch to uncomment the lines of code, however, this patch won't be committed :-)

Hi, if this patch is not committed what is then the best solution?|
greetings, Martijn

Where are we on this issue? I've tried uncommenting the code mentioned above, but the Tokens aren't surfacing. Do I need to patch Rules as well? This seems to be fairly important.

This is a serious problem for us. Could I replace [user:one-time-login-url] with [current-user:login-one-time] as a workaround?

I'm replying to this post again because I have potential customers who cannot login after ordering. I think this is a critical issue.

Any help would be appreciated.

For those using this patch, be sure that you are literally using [user:one-time-login-url]. Using anything else such as [account:one-time-login-url] won't work.

I've looked in the code and despite the user prefix, my understanding is that this token is substituted just as it would normally for $account. This is due to a quirk in the way user_mail_tokens() substitutes the tokens.

Added some detail.

Updated issue summary.

>The solution is to roll a tiny module "get onetime login link as variable".

That's just about 20 lines of code.

That's just about 20 lines of code.

Unless I'm mistaken, I do not think that it is currently possible to put in a custom module. There are no hooks to extend variable_email's token processing and implementing hook_mail_alter to replace the additional tokens after the fact is a bit of a stretch since the $account object is never passed. In theory you could try loading the users object by their email, but I feel like that's just clunky.

Unless I've missed something?

Updated

#9: please read #1289898-7: Action: Generate a one-time-login-url where fago puts it plain:
the plan is to have an action "generate onetimeloginurl" which provides this as a text variable.
the text variable is then accessible as a token.

;-)

That was nearly two years ago... I don't think that's happening anytime soon :/

It will happen as soon as anyone spends the 2 hours (or pays someone doing it) which can be today.

I think removing this code ALSO causes an issue with the normal user login link. SO I changed my email message to tell people just to request a new password but now those variables are never set properly due to this change? Or is this another bug...

#10 There's a patch available now. I didn't test it yet. https://drupal.org/node/1289898#comment-7842483

See #1430694: [user:one-time-login-url] is not available on config page, so new user cannot log in. Note that the fix in that issue requires uncommenting a couple of lines.

Updated issue summary.

#15 Please correct issue number. This issue is duplicate to self?

This is still active to my understanding
some people call duplicate but don't provide the duplicate thread
so this is still active

solutions above are workarounds at best

Sorry, that should have linked to #1289898: Action: Generate a one-time-login-url which this issue is a duplicate of.

From this issue's description -

As stated in #1289898-9: Action: Generate a one-time-login-url: providing the one-time-login-url as token will NOT get committed, because it has the security implication "use tokens" >= "takeover any account" which is not wanted.

The solution is to roll a tiny module "get onetime login link as variable".

That module I think is in the linked issue. Marking duplicate again (you're free to undo this if you feel it's appropriate).