Comments (7)
erommel
commented on August 23, 2024
1
Hi Uwe.
We had discussions with the team and decided to make following changes:
-
Add note for email activation feature description that it stores temporary decryptable passwords.
-
Add "swpm_email_activation_data" filter so you can modify temporary email activation data per your needs. Remove password from it, for example.
I have also made a tiny plugin that does the thing for you - it removes plain text password before it's stored in database. Using this plugin you can still use latest versions of Simple Membership plugin without the need to modify its core files. https://github.com/erommel/simple-membership-enchancements
from simple-membership.
erommel
commented on August 23, 2024
Hi Uwe and thank you for your input.
Decryptable password is saved to the database temporary, until user activates his\her account if Email Activation is enabled. After account is activated, the data gets deleted. It also gets deleted by cron job which runs daily, to remove potential leftovers in situations where user never actually activated his\her account. After the activation (or if it's not enabled), only password's hash is stored in DB.
And yes, plain password is needed for autologin and\or sending password to user email after registration. I agree it's not a good idea to do that (send email with password), but that's it worked over years and customers definitely used to this.
I have an idea how this could be changed though. We can add an option to the settings, something like "Allow less-secure passwords handling" (which should be DISABLED by default), which allows site admin to decide whether he\she wants to trade some security for the functionality he\she used to.
I will also research if it's possible to handle autologin stuff without storing plain text password.
Keep in mind this should be discussed with the team first, as at the moment it's just my suggestion.
from simple-membership.
utrenkner
commented on August 23, 2024
Thanks for your reply. I fully understand your thoughts conc. backward compatability (not taking a feature away from your users). And I very much appreciate your ideas for how to address the issues (additional info, option).
I look forward to the further developments!
from simple-membership.
utrenkner
commented on August 23, 2024
Wow! Thank you for the changes and the enhancements plugin!
from simple-membership.
utrenkner
commented on August 23, 2024
Just noticed: Plain password is back! How could this be?! Took me quite some time to understand: I now use the Form Builder Addon, which has a similar update_options code which is not covered by the additional filter.
from simple-membership.
utrenkner
commented on August 23, 2024
Just installed Form Builder Addon 4.7.6 and now the hook works again! Thank you very much!
from simple-membership.
erommel
commented on August 23, 2024
Sorry for late reply.
Yep, it was implemented along with the changes in core plugin.
from simple-membership.
Related Issues (20)
- get_current_page_url returns localhost when the plugin is running inside a Docker image HOT 10
- Use of $_SERVER["SERVER_NAME"] in SwpmMiscUtils::get_current_page_url() HOT 3
- More language strings not translatable HOT 3
- Braintree payment fails if customer goes with PayPal payment
- parse_str() without resulting argument is deprecated since PHP 7.2
- Avoid date_default_timezone_set() usage HOT 2
- Typo in German translation HOT 1
- Add strings to custom message plugin HOT 2
- Need to timestamp changes in subscriber account HOT 2
- Cosmetic adjustment HOT 1
- SWPM_Members prepare_items() exceeding available memory
- Custom registration email body does not have variables replaced HOT 5
- class.swpm-members.php add() function: Allow $form to be true and return without output HOT 3
- Security issue: Privilege escalation / Account takeover issue HOT 9
- Feature Request: Hooks before member is added, edited or deleted HOT 3
- [SWPM Partial Protection] PR to add 'visible_to' filters based on WP Affiliates Membership account status
- Deleted user can remain logged in and use the website HOT 2
- Possible bug with Paypal (duplicated payments) HOT 3
- [FIX] [SWPM Affiliates Manager Integration] Buyer email not forwarded to Affiliates Manager HOT 1
- swpm_load_template_files [Hook not working]
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simple-membership.