Include restriction to REQUEST NEW PASSWORD
doerings_net - November 16, 2008 - 14:57
| Project: | User Protect |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | by design |
Jump to:
Description
A user can still bypass the protection @ password changes by requesting a new password from the forgotten password page of standard Drupal.
Any chance to add a hook there whether the user is allowed to change the password?
Thanks.
#1
[EDIT] title changed for clarification due to field length restriction
#2
are you referring to the protection activated by disabling the 'change own password' user permission?
#3
Maybe No request new password should be useful to port this option on User Protect.
#4
i'm happy to review a patch that closes this discrepency, so somebody please offer one up ;)
#5
i looked into this further. the 'Request new password' feature in core does *not* provide the user with a new password, but merely a one-time login link they can use to login and change their own password.
as such, userprotect needs no change that i can see, because when the user uses the one-time login, they get sent to their edit page, where they are still unable to change their password if it's protected.
and, at least they have some half-assed way to login until they can get their password changed by an admin... ;)