Work around is of course to set the "Method for viewing passwords" to "Own page" instead of "Both" or "Collapsible box". But I would consider this an unexpected behaviour though, and we all sometimes do a login as admin with somebody in the back – maybe on a machine where JS is disabled and experiencing this behaviour the first time.

Would be a small change to make the fieldset invisible with a "display: none;" and finally reveal it by JS itself on page load.

CommentFileSizeAuthor
#8 password_is-1114780-8.patch3.14 KBiberezovchuk
#3 password_is-1114780-3.patch2.23 KBiberezovchuk

Comments

Leeteq’s picture

Leeteq commented
Version: 6.x-1.4 » 7.x-1.x-dev

I think that when Javascript is disabled, it should provide a dedicated link to load the password manually to its own "page".
With JS enabled, the link should collapse so the password is initially hidden behind the link, then revealed inline when clicking on the link.
(Setting it for 7.x first, which then may be backported.)

EvanDonovan’s picture

EvanDonovan commented
Category: feature » bug
Priority: Normal » Major

Personally, I think this might be considered a security issue. Not everyone uses JS.

It is mitigated to a certain extent by the fact that only the user will see it him/herself.

What's the best way to handle this, do you think?

iberezovchuk’s picture

iberezovchuk commented
Issue summary: View changes
Status: Active » Needs review
StatusFileSize
new password_is-1114780-3.patch2.23 KB

There are ajax link for showing password on user page.

andriyun’s picture

andriyun commented
Status: Needs review » Needs work 
  1. +++ b/aes.module
@@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
+function aes_password_view($uid) {
+  $output = '<div id="aes_password">';
+  drupal_add_library('system', 'drupal.ajax');
+  $link = l(t('Show pass'), 'aes_get_password_callback/' .$uid. '/nojs/', array('attributes' => array('class' => array('use-ajax'))));
+  $output .= "$link</div>";
+  return $output;
+}

    I think code from this function should move to line 416.
    There is no need for new custom function.
    Please note to space after dots. And line length should be less than 80 characters 

  2. +++ b/aes.module
@@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
+

    Please add documentation for function.

andriyun’s picture

andriyun commented 
+++ b/aes.module
@@ -403,11 +412,11 @@ function aes_user_view($account, $view_mode, $langcode) {
-      $password_form = drupal_get_form('aes_view_password_form', aes_get_password($account->uid, TRUE));

If aes_view_password_form is never used, should be remove function code from module

podarok’s picture

podarok
🇺🇦 he/him/his
Primary language Ukrainian
Location Ukraine
commented 
  1. +++ b/aes.module
@@ -35,6 +35,15 @@ function aes_menu() {
+    'title' => 'User password',

    User's pasword 

  2. +++ b/aes.module
@@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
+function aes_password_view($uid) {

    Needs docblock 

  3. +++ b/aes.module
@@ -421,6 +430,32 @@ function aes_user_view($account, $view_mode, $langcode) {
+function aes_ajax_callback($uid, $type = 'ajax') {

    Needs docblock

iberezovchuk’s picture

iberezovchuk commented
Assigned: Unassigned » iberezovchuk
iberezovchuk’s picture

iberezovchuk commented
Status: Needs work » Needs review
StatusFileSize
new password_is-1114780-8.patch3.14 KB

There is patch with fixed bugs.

podarok’s picture

podarok
🇺🇦 he/him/his
Primary language Ukrainian
Location Ukraine
commented
Assigned: iberezovchuk » Unassigned
Status: Needs review » Reviewed & tested by the community

Code looks good for me.

  • dpovshed committed 58d085a on 7.x-1.x 
    Issue #1114780: minor code clean-up.
  • dpovshed committed e32164c on 7.x-1.x authored by TaNLaN
    Issue #1114780 by TaNLaN: Password is unexpectedly visible on the 'My...
dpovshed’s picture

dpovshed commented
Status: Reviewed & tested by the community » Fixed

  • dpovshed committed 4f0f78f on 7.x-1.x 
    Issue #1114780: default setting is to view password on a separate page;...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.