Allow password reset for all user having the shared email address

The way Shared Email works is that an email is sent to the email address attached to the account that performed the password reset request.

In other words, if account A and account B have the same address, an email will be sent to the shared email address regardless of which account was used.

Does this answer your question?

No, only one email will be sent. The one-time link in that email will log you into one of the accounts that shares that email address (probably the oldest account, the one with the lowest uid) so you can reset the password. To reset the password for the other account, the user would have to type in the username instead of the email address on the request new password form.

I think I can write a patch to send a password recovery email for every account that shares the same email address.

@wesayo: a patch would be great. Thanks! Please feel free to open a new issue for this:

   http://drupal.org/node/add/project-issue/sharedemail

I believe this issue has been answered and I'm marking it as fixed. We can update Shared Email's documentation if wesayo's patch goes into a future release.

This thread doesn't definitively answer the original question, nor does documentation (that I could fine).

The one-time link in that email will log you into one of the accounts that shares that email address (probably the oldest account, the one with the lowest uid) so you can reset the password

"probably"? is this based on intricacies of mysql, or other factors?

Hello @christefano,

I had this need for a project where I use Shared E-mail and import the accounts with feeds. My users can potentially have two accounts with the same email address, with different roles.

I prepare a patch I've made for it, and I hope I've done it well (this is my first patch on a Drupal project).

The idea of this patch is to modify the behaviour of the user_pass form validation and submit methods, to use all the records found in the user table.

Just to be sure, here is the code I add in the module :

/**
 * Implements hook_form_FORM_ID_alter().
 * To modify the password reset submit
 * and validation
 * 
 * @see			https://www.drupal.org/node/1203504
 */
function sharedemail_form_user_pass_alter(&$form, &$form_state) {
    unset($form['#validate']);
    $form['#validate'][] = '_sharedemail_user_pass_validate';
    
    unset($form['#submit']);
    $form['#submit'][] = '_sharedemail_user_pass_submit';
}

/**
 * User Password Form validation function
 * To replace the one from user module
 * 
 * @see			https://www.drupal.org/node/1203504
 */
function _sharedemail_user_pass_validate($form, &$form_state) {
  $name = trim($form_state['values']['name']);
  // Try to load by email.
  $users = user_load_multiple(array(), array('mail' => $name, 'status' => '1'));
  if (empty($users)) {
    // No success, try to load by name.
    $users = user_load_multiple(array(), array('name' => $name, 'status' => '1'));
  }
  if (!empty($users)) {
    form_set_value(array('#parents' => array('users')), $users, $form_state);
  }
  else {
    form_set_error('name', t('Sorry, %name is not recognized as a user name or an e-mail address.', array('%name' => $name)));
  }
}


/**
 * Form submit function
 */
function _sharedemail_user_pass_submit($form, &$form_state) {
  $users = $form_state['values']['users'];
  foreach($users as $user) {
    // Set the account value
    form_set_value(array('#parents' => array('account')), $user, $form_state);

    // Call the user module submit method
    user_pass_submit($form, $form_state);
  }
}

"probably"? is this based on intricacies of mysql, or other factors?

To re-iterate on this, I can verify on #3 that effectively the lowest uid for given email address is used for the password reset.

See relevant explanatory code below, from core user module:

/**
 * Form validation handler for user_pass().
 *
 * @see user_pass_submit()
 */
function user_pass_validate($form, &$form_state) {
  $name = trim($form_state['values']['name']);
  // Try to load by email.
  $users = user_load_multiple(array(), array('mail' => $name, 'status' => '1'));
  $account = reset($users);

This would indeed mean that only the first user for an email address can have its password reset through the generic password reset form, so I believe this can be classified as a bug.

#7 looks promising but it needs some good review / testing before it can be included.

Based on ccrosaz patch, i've done another possible way of solving this issue :

* if there is only one corresponding account, it will simply send the standard reset password message
* if several account correspond to the email, it will send an email with the available login name for this email that they can use to ask for a reset

It's a multi-step process but i think it will scale better if we have more than 2-3 account associated with the same email.

The message could be improved and we might add direct links to password reset for each user. Even better if we could trigger the password reset email with a link without having to submit a form.