A user can still bypass the protection @ password changes by requesting a new password from the forgotten password page of standard Drupal.

Any chance to add a hook there whether the user is allowed to change the password?

Thanks.

Comments

doerings_net’s picture

doerings_net commented
Title: Include restriction to Drupal's system feature REQUEST NEW PASSWORD » Include restriction to REQUEST NEW PASSWORD

[EDIT] title changed for clarification due to field length restriction

hunmonk’s picture

hunmonk commented
Status: Active » Postponed (maintainer needs more info)

are you referring to the protection activated by disabling the 'change own password' user permission?

chirale’s picture

chirale commented

Maybe No request new password should be useful to port this option on User Protect.

hunmonk’s picture

hunmonk commented

i'm happy to review a patch that closes this discrepency, so somebody please offer one up ;)

hunmonk’s picture

hunmonk commented
Status: Postponed (maintainer needs more info) » Closed (works as designed)

i looked into this further. the 'Request new password' feature in core does *not* provide the user with a new password, but merely a one-time login link they can use to login and change their own password.

as such, userprotect needs no change that i can see, because when the user uses the one-time login, they get sent to their edit page, where they are still unable to change their password if it's protected.

and, at least they have some half-assed way to login until they can get their password changed by an admin... ;)