From d60f3e6524ff3d137a8392dbbaae8ce7f5a2a01d Mon Sep 17 00:00:00 2001
From: Jakub Jalowiec <jjalowie@mion.elka.pw.edu.pl>
Date: Mon, 30 Sep 2019 22:06:59 +0200
Subject: [PATCH 1/3] formtools/module-submission_accounts#11 using encryption
 of passwords during authorization of submission account

---
 code/Users.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code/Users.class.php b/code/Users.class.php
index 151d1d9..556ec8d 100644
--- a/code/Users.class.php
+++ b/code/Users.class.php
@@ -122,7 +122,7 @@ public static function login($info, $L)
         $account_found = false;
         $submission_info = array();
         foreach ($submissions as $submission) {
-            if ($submission[$password_col] == $info["password"]) {
+            if ($submission[$password_col] == General::encode($info["password"])) {
                 $account_found = true;
                 $submission_info = $submission;
                 break;

From ff365eff2b2cb96bdd3c1811965bc09651b80bd6 Mon Sep 17 00:00:00 2001
From: Jakub Jalowiec <jjalowie@mion.elka.pw.edu.pl>
Date: Mon, 30 Sep 2019 22:07:43 +0200
Subject: [PATCH 2/3] formtools/module-submission_accounts#11 hiding password
 in the user interface of submission account

---
 templates/users/index.tpl | 17 ++++++++++-------
 users/index.php           |  3 ++-
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/templates/users/index.tpl b/templates/users/index.tpl
index 2f9f18d..751befc 100644
--- a/templates/users/index.tpl
+++ b/templates/users/index.tpl
@@ -36,13 +36,16 @@
 
         {foreach from=$fields item=curr_field}
           {assign var=field_id value=$curr_field.field_id}
-          <tr>
-            <td width="150" class="pad_left_small" valign="top">{$curr_field.field_title} <span class="req">{if $curr_field.is_required}*{/if}</span></td>
-            <td valign="top">
-              {edit_custom_field form_id=$form_id submission_id=$submission_id field_info=$curr_field field_types=$field_types
-                settings=$settings}
-            </td>
-          </tr>
+          {* do not show password (more precisely - password hash *}
+          {if $curr_field.field_type_id != $password_type_id}
+            <tr>
+              <td width="150" class="pad_left_small" valign="top">{$curr_field.field_title} <span class="req">{if $curr_field.is_required}*{/if}</span></td>
+              <td valign="top">
+                {edit_custom_field form_id=$form_id submission_id=$submission_id field_info=$curr_field field_types=$field_types
+                  settings=$settings}
+              </td>
+            </tr>
+          {/if}
         {/foreach}
 
         {if $fields|@count > 0}
diff --git a/users/index.php b/users/index.php
index 8714b3c..e01557e 100644
--- a/users/index.php
+++ b/users/index.php
@@ -131,7 +131,8 @@
         "word_yes",
         "phrase_validation_error",
         "word_close"
-    )
+    ),
+    "password_type_id" => FieldTypes::getFieldTypeIdByIdentifier("password")
 );
 $page_vars["head_string"] = <<< END
   <script type="text/javascript" src="$root_url/global/scripts/manage_submissions.js"></script>

From 31e02f49de06846fa282ab7464361686fb5c30d6 Mon Sep 17 00:00:00 2001
From: Jakub Jalowiec <jjalowie@mion.elka.pw.edu.pl>
Date: Wed, 2 Oct 2019 20:16:41 +0200
Subject: [PATCH 3/3] formtools/module-submission_accounts#11 refactoring
 sendPassword function so it uses encryption of passwords

---
 code/Users.class.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/code/Users.class.php b/code/Users.class.php
index 556ec8d..227af56 100644
--- a/code/Users.class.php
+++ b/code/Users.class.php
@@ -310,9 +310,19 @@ public static function sendPassword($form_id, $info, $L)
         $username = $submission_info[$username_col];
 
         $field_info = Fields::getFormField($submission_account["password_field_id"]);
+        $password = General::generatePassword();
         $password_col = $field_info["col_name"];
-        $password = $submission_info[$password_col];
+        $encrypted_password = General::encode($password);
 
+        // update the database with encrypted password
+        $db->query("
+            UPDATE {PREFIX}form_{$form_id}
+            SET  $password_col = :encrypted_password
+            WHERE submission_id = :submission_id
+        ");
+        $db->bind("encrypted_password", $encrypted_password);
+        $db->bind("submission_id", $submission_info["submission_id"]);
+        $db->execute();
 
         // 1. build the email content
         $placeholders = array(