Closed NicoHood closed 3 years ago
Yes its for testing and debugging only.
But even then an empty email should be sent, not the password. I was not expecting this, and I had to change the password everywhere. Now if someone uses the same password on multiple sites (which you surely should not do), this is a real issue, as you would not expect, that this simple text function leaks your password.
Even for testing you never want to leak your passwords to any smtp server. The mentioned line could be replaced by something very simple like 'This is a test email'.
I've tried the cli test email option and got an email with the email plugin settings. The password was included.
I think there really must be an option to hide the password. I remember that other software uses a special
secrets.yaml
file which can be included in the configuration itself. This secret file is not commit to git, and of course will not be sent via a test email.This should be fixed... https://github.com/getgrav/grav-plugin-email/blob/e92d16bd268b3ddd140bd96061632a1065be344c/cli/TestEmailCommand.php#L88