Magento - How to get a customer (user) password

I make this code in a external php file to get users informations :

        $customerCollection = Mage::getResourceModel('customer/customer_collection')
     开发者_高级运维   ->addNameToSelect()
        ->addAttributeToSelect('email')
        ->joinAttribute('postcode', 'customer_address/postcode', 'default_billing', null, 'left')          
        ->joinAttribute('billing_city', 'customer_address/city', 'default_billing', null, 'left')
        ->joinAttribute('billing_region', 'customer_address/region', 'default_billing', null, 'left')
        ->joinAttribute('billing_country_id', 'customer_address/country_id', 'default_billing', null, 'left');

I want to get also in my request the password of the users.

How can I do that ??

Thanks a lot.

To answer your comments, no there is not a solution if you need the cleartext password, and that is a Very Good Thing. If you were able to trivially retrieve a customer's password, that would mean that an attacker would also have this ability.

To prevent that, Magento hashes your password (using MD5 or SHA1, depending on your edition of Magento), and includes a "salt" value to add to the complexity of the password. This is standard cryptographic practice.

The link you posted shows how to let customers use their own passwords to log into multiple sites at once. Aside from the fact that the code on that page isn't terribly good, it won't address your problem.

If you need to log in as a user on the frontend, there are modules to do this or you can write your own. Basically, check to see that you have a valid administrative session with permission to connect to user accounts, and force the login credentials into the session. Keep in mind that this is already problematic from a security standpoint, but it may be necessary for your business.

If you're trying to log into another system you control as your user, you're basically stuck writing the same module on that platform. If you do have/find a platform that lets you retrieve the user's password, stop using it until that flaw is patched. This would be a huge red flag for any system that also deals with sensitive information (e.g. customer info, payment info).

If you have any other questions (or if you provide a little more detail on what you want to accomplish), I'll be happy to help. Hope that helps!

Thanks, Joe

You can get customer's hashed password in the following way if you have customer email.

$customer_password = Mage::getModel("customer/customer")->setWebsiteId(Mage::app()
->getWebsite()->getId())->loadByEmail($customer_email)->getPasswordHash();

Paste the following code in your connectasAction in the controller you use and get the correct param:

public function connectAsAction() {

if (!Mage::getSingleton('admin/session') ->isAllowed('customer/connectas')) {

echo 'You are not allowed to connect as another user'; return;

}

$customerId = $this->getRequest()->getParam('id');

$customer = Mage::getModel('customer/customer') ->load($customerId);

if ($customer->getId() != $customerId) { echo 'User not found.'; return; }

$preferedStoreViewId = $customer->getPreferedStoreViewId();

if (!$preferedStoreViewId > 0) {

$customer->getWebsiteId();

$preferedStoreViewId = Mage::app() ->getWebsite($customer->getWebsiteId())

->getDefaultStore() ->getStoreId();

} session_write_close();

//Suppression du cookie 'frontend'

$params = session_get_cookie_params();

setcookie(
           'frontend', 
           '', 
           time() - 42000, 
           $params["path"], 
           $params["domain"], 
           $params["secure"], 
           $params["httponly"] 
         );

//Here we need to write on the session 
//corresponding to the frontend website 

session_regenerate_id(); 
session_name('frontend'); 
session_start(); 

$customer->setPreferedStoreViewId($preferedStoreViewId); 

//We set the customer and its store view 
Mage::app()->setCurrentStore( Mage::getModel('core/store') 
                  ->load($preferedStoreViewId) ); 
Mage::getSingleton('customer/session') 
                      ->setCustomerAsLoggedIn($customer); 

//We need to write data before continuing 
//in the normal magento process session_write_close();
//Redirect to the front on the specific store view 
$this->_redirectUrl(Mage::app() 
           ->getStore($preferedStoreViewId) 
           ->getBaseUrl()); 
}

This is from my blog: http://benjion.wordpress.com/2011/04/29/magento-se-connecter-en-tant-que-client-depuis-ladmin/

You can get customer's hashed password this way (let's say you want a customer depending on email address):

$customer = Mage::getModel('customer/customer_api');
    $data = $customer->items(array('email' => customeremail));return $data['password'];