Hellow, i have a Drupal 7 site. Anonymous users can create a node and here they have to write their mail.

When the node is created, rules will create a new user account and then send an email which contains username and one-time login url.

The user account is successfully created, and mail is successfully sent but in the mail is not the one time url, but only this: [entity-name:one-time-login-url]. Is the problem in Rules?

I hope i described it well.

#39 rules-generate-onetimelogin-1289898-39.patch1.08 KBNebel54
PASSED: [[SimpleTest]]: [MySQL] 351 pass(es).
[ View ]
#6 1289898-rules-restricted-user-tokens.patch807 bytesklausi
PASSED: [[SimpleTest]]: [MySQL] 327 pass(es).
[ View ]


Yeah the token is not being reinterpreted. So we literally see [account:one-time-login-url] instead of a link in the website. Having the same problem.

Same here. Any way to fix it?

Have anybody found any solution?


I agree that it is strange that the token says it is supposed to output one thing, but does not work. However, you can also use this solution:

Use the PHP evaluation (enable PHP module) and make sure you have a user loaded (often when it is created, it's created by default as $entity_created).

Use this snippet:

-time = user_pass_reset_url($entity_created);

Hope that helps someone!

Version:7.x-2.0-rc2» 7.x-2.x-dev
Status:Active» Needs review
new807 bytes
PASSED: [[SimpleTest]]: [MySQL] 327 pass(es).
[ View ]

Here is a patch that adds the restricted user tokens to the Rules token input evaluator. Not sure this is the right way to do it. Please test.

Status:Needs review» Needs work

I guess the cause for this strange implementation is access, so taking over user accounts for people isn'T possible as soon as they can use tokens....

Thus, we somehow need to implement this access restriction in rules too. Tokens don't support access restrictions though. I could see this work via an separate action that generates those tokens and gives them back as text variables. Then tokens for those text variables can be used (though I think that needs to be fixed for rules2 first).

Probably, even better than an action would fit exposing those parameters as entity properties. However, first we should fix entity-tokens to don't provide tokens of sensitive properties, but then those properties would be unusable again in Rules again - as long as one doesn't copy them in new variables ;)

So I think the action would be the was way to proceed. E.g. "Generate user login tokens" ?

Meh, too complicated. At the moment there are only 2 restricted tokens in token.module, so I vote for this simple approach before we start over-engineering here. Also token.module does not provide any hint which callback to use for the restricted user properties, so Entity/Rules would have to add this manually anyway.

And I don't understand the security concern here: people that can administer rules have super permissions anyway, so what's the harm?

>And I don't understand the security concern here: people that can administer rules have super permissions anyway, so what's the harm?

No. Rules does access checks, thus you can grant 'administer rules' without giving away full site-privileges. The super permission is not 'administer rules', but 'bypass rules access'.

The patch from #6 would allow each rules-user to take over the site, just with 'administer rules' and might even work for users of VBO..

Indeed, just learned that "administer rules" is not a p0wning permission. So the @todos are:

* Remove user login/cancel URL tokens from the replacement patterns listing (I think this needs to go into the Entity API tokens stuff?)
* Provide the "Generate user login/cancel URLs" action that provides the two URL variables. Permission required: administer users?
* Expose primitive (text, URL, decimal etc.) Rules variables as tokens.


Sounds good, yes. Although I don't think entity tokens provide login/cancel tokens as there are no such properties, my guess would be token module.


Stop subscribing, start following: http://drupal.org/node/1306444


Is this issue about 'user' (the logged-in user) or also about 'entity-created(user)'?

In my setup a user kan create an other user with a webform. After the webform is submitted a rule creates the account: entity-created(user). Works fine.

In the email sent by a rule I want a one time login for the new entity-created(user). No way: the tokens are available but are not links in the email: [entity-created:one-time-login-url] and [entity-created:edit-url].

Php snippet #5 and the patch #6 did not help,

Is there a workable sollution available for this?

@cmseasy: D7 or D6?


Darn it. Just found my snippet didn't work after all (#5). Don't have the time to investigate right now, will post back when i get the time.

Status:Needs work» Needs review


found a solution/work around

instead of using the replacement pattern [account:one-time-login-url], call the function that is supposed to be replaced by that token which is user_pass_reset_url() and user $account as its parameter.

so, the email should go something like this:



You are now a member [site:name]

print user_pass_reset_url($account);

The link above will log you in to the site where you can reset your password.

After setting your password, you will be able to log in at [site:login-url] in the future using:

username: [account:name]
password: Your password

Thank you jeuelc! you are a savior. Works like a charm.

I had a real bad time getting this to work with Drupal Commerce. I applied the patch from this thread: http://drupal.org/node/1430694 but to no effect, the tokens weren't becoming available. I also have display suite installed and using the display suite code format with the default token [user:one-time-login-url] somehow works :D

Component:Rules Engine» Rules Core

@leex: can you tell me the exact steps you did to get this working? I am not succesfull in this using drupal commerce..
greetings, Martijn

#20 gave me this email in drupal commerce using php as input format:

You may now log in by clicking this link or copying and pasting it to your browser:
<?php print user_pass_reset_url($account);?>
This link can only be used once to log in and will lead you to a page where you can set your password.
After setting your password, you will be able to log in at

Somehow drupal commerce (commerce email) doesn;t interpreted the php correct..

greetings, Martijn

@Summit I think the reason your php isn't working is because you need to have the PHP Code text format selected for that textarea, if it isn't available then you need to enable it under the core modules.

If you want to do what I did, you will need to install the Display Suite module. This will make the 'Display Suite code' appear in the text format drop down. I used this text format with the token from my post above and it works.

Hi @leek, I have php code text format selected.
See this issue: http://drupal.org/node/1606862
I think php is somehow not working using commerce email and rules...

greetings, Martijn

@Marijn It didn't work for me either, the display suite code did.

#20 workaround was great, If there is a simpler fix than installing displaysuite I´m all ears, meanwhile, it´s a relief.

Thanks, @jeuelc


Code in #5 is a good work around if you are ok with enabling PHP eval. (This has some security risks.) But the code as given won't work: PHP variable names cannot include dashes. It should be $one_time rather than $one-time.

And if you try this, you may find other errors being generated: the entity you get from rules for the newly created user is not completely filled in with all values because it has not been saved yet.

The code you may need to use is:

$new_user = user_save($new_user);
print user_pass_reset_url($new_user);

This assumes that the user entity created was given the variable new_user, and not the default, which is entity_created.

Status:Needs review» Needs work

I'm not really sure of the status of this issue. Would someone please extract the meaning of #14-#29 according to #10?

Part of the confusion above is that in rules there are two ways to send emails.

1. Add New Action -> User -> Send account email

2. Add New Action -> System -> Send email.

Unfortunately, which tokens you get to use depends on which action you are using, but I have not found any documentation that describes this.

hi all

if you change on the role "Send email" to "Send account e-mail" then it works fine...
you have on the $param from htmlmail the $account... with this you can generate a onetime link like this...

$url_onetime = user_pass_reset_url($params['account']);
$username = $params['account']->name;

important, is better to generate a own template file with the name "htmlmail--user--register_no_approval_required.tpl.php"


edit: Sorry, thought I had this working but was getting the core emails as well, which worked of course. :-/

The solution from #20 worked for me some time ago. Unfortunately recently it stopped working ... the url generated looks good, but if I follow the link I get the message that the on-time-login is expired. Any ideas what happened?

P.S. Password reset from the password reset form still works.

Status:Needs work» Needs review

#20 works.. I'd still like to see the token work though.

If you're using logintoboggan, [user:validate-url] will provide you with an account validation link. I only would use this if the password is set during registration, otherwise it will log in, but not prompt the user to set their password.


[user:validate-url] and [account:validate-url] is not interpreted in rule

i means that token is not remplaced by his value

is anyone have an idea for this ?


new1.08 KB
PASSED: [[SimpleTest]]: [MySQL] 351 pass(es).
[ View ]

I think there are two possible approaches:

Last week criz, dasjo and me discussed about the second approach, which would be great for a usecase like "Send a registration reminder with one-time-login when an account hasn't been activiated for two days".

So the attached patch addresses the second approach. It uses the rules_user_integration_access access callback which should be adequate for managing users.

Status:Needs review» Needs work
Issue tags:+Needs tests

+++ b/modules/user.eval.inc
@@ -98,5 +98,14 @@ function rules_action_user_unblock($account) {
+    return array(

Too much indentation - check the coding style.

+++ b/modules/user.rules.inc
@@ -214,6 +214,16 @@ function rules_user_action_info() {
+    'label' => t('Generate one-time log in'),

I'd append link to the label and maybe add a help text that says it provides the link back as variable so it can be used by .... (what would come here, a token in a e-mail message?)

+++ b/modules/user.rules.inc
@@ -214,6 +214,16 @@ function rules_user_action_info() {
+        'type' => 'text',

It provides just the URL, right? So the type should be URI then.

Also, we need to add test coverage.

+++ b/modules/user.rules.inc
@@ -214,6 +214,16 @@ function rules_user_action_info() {
+        'label' => t('One-time log in url for the user.'),

We should use the "official" spelling here, which should have URL in upper case.

It doesn't work for me. Should I change something else in the rules or the email template?

After patching with #39, I added the "Generate one-time log in" action the rule "Create a new account for an anonymous order (HTML)". The one_time_login_link PHP variable became available. Then I added the variable like this to the Account Email (/admin/commerce/config/email):

print $one_time_login_link;

The variable didn't print in the email and the site gave this error:

Notice : Undefined property: stdClass::$pass dans user_pass_reset_url() (line 2296 in /modules/user/user.module).
Notice : Undefined property: stdClass::$login dans user_pass_reset_url() (line 2296 in /modules/user/user.module).
PDOException : SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '' for key 'name': INSERT INTO {users} (uid, created, data) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2); Array ( [:db_insert_placeholder_0] => 9724 [:db_insert_placeholder_1] => 1380812977 [:db_insert_placeholder_2] => a:2:{s:7:"contact";i:0;s:18:"htmlmail_plaintext";i:0;} ) in drupal_write_record() (line 7043 in /includes/common.inc).

When you want to send mails to new user accounts (e.g. On "New user created"-Conditions) the actions are executed BEFORE the new user has been saved and an before it got an user id.

Therefor you need to add an action "Save Entity" (of the new user account) with the option "Force saving immediately" selected. Then you can use the new Generate one-time log in action.

I'm going to add a new patch which address fago's remarks, but as far as i know there is no other solution than an "Save Entity"-Action before using this action for this problem.

There's already a Save Entity action (see below). For now I will delete the "Send mail with Variable" action and replace it with the "Send account e-mail" action from Drupal core. It's a plain text email but the One Time Login URL token is working.

Create a new entity
Parameter: Entity type: User, Name: [commerce-order:mail], Email: [commerce-order:mail]
Provides variables: Created account (account_created)
Set a data value
Parameter: Data: [account-created:status], Value: Active
Save entity
Parameter: Entity: [account-created], Force saving immediately: true
Fetch entity by property
Parameter: Entity type: User, Property: Email, Value: [commerce-order:mail], Limit result count: 1
Provides variables: Fetched account (account_fetched)
Parameter: List: [account-fetched]
List item: Current list item (user)
   Send mail with Variable
   Parameter: To: [user:mail], Variable: commerce_email_account
   Set a data value
   Parameter: Data: [commerce-order:uid], Value: [user:uid]
   Set a data value
   Parameter: Data: [commerce-order:commerce..., Value: [user:uid]
   Set a data value
   Parameter: Data: [commerce-order:commerce..., Value: [user:uid]

#20 Worked for me using Drupal Commerce.

Enable PHP filter.

print user_pass_reset_url($account);
in email

Would still love a token!

I was getting error with $account, but this worked

print user_pass_reset_url($user);

important to change to phpcode text format. thank you... Its awesome being a part of a community of people helping to make good things happen.

The patch in #39 is not working for my updated Commerce installation. The workaround in #20 does.

#46 Worked for me, changing $account to $user was the key.

Just tried the patch in #20 but got access denied message after clicking link so didnt work for the commerce account email at /admin/commerce/config/email.

Will try the other solution as [user:one-time-login-url] token not printing at all for me and not available in the tokens list...

#46 worked for me for the commerce new order/new account email - many thx!

#46 worked for me, although I'd prefer a token solution. Also using Drupal Commerce. :)