Can't request new password using email address

I am experiencing the same issue - users cannot request a new password using a valid, registered email address. Only usernames work.

Having the same problem (Drupal 6.10), except it doesn’t allow users to request a new password based on username if that username contains a space.

I strongly suspect the problem has to do with user input filtering, or improper quoting. Perhaps characters like space and @ are being filtered out? If so, then Drupal will fail to find a match in the user DB. The error being returned is exactly the same as the no-match scenario. That would explain why eMail addresses always fail, and usernames fail when they contain spaces.

This problem might have arisen with one of the recent core security updates regarding input filtering, since both D5 & D6 seem to be affected.

Having the same problem (Drupal 6.10), except it doesn’t allow users to request a new password based on username if that username contains a space.

To further complicate things - usernames containing spaces do work for my site (Drupal 6.10). FWIW, all our site users need to register with a username in the form "First Last", with an access rule set to deny any usernames not in that format.

Same problem here, anyone has a simple solution?

This is probably covered by this fix in the 7.x branch. Somehow we need too get this included in the 6.x patch as well...

#332703: Username is validated against email access rules (and vice versa) for new password requests

/Thomas

This is a port of the #332703: Username is validated against email access rules (and vice versa) for new password requests but for the 6.14 branch. I am not sure that this is the right way to do it but it is one way...

/Thomas

Updating status

Thanks for the patch, works great!

Seems like this need to moved to one release later? /Thomas

I can't reproduce this on a site running 6.13 which has no access rules, so I take it that the problem only shows up if you have access rules that are hit during the checks that take place during the new password request. Problem must have been introduced in 6.5 via this change http://drupalcode.org/viewvc/drupal/drupal/modules/user/user.pages.inc?r....

See also http://drupal.org/drupal-6.5, SA-2008-060.

Yes, it seems to be linked to the access rules. We've shut down new membership registration for our site, and removed the access rules we had in place, and the password reminder is working for email addresses now.

Correct, as I have seen it. I only see it on my sites where I have access rules in place.

i'm seeing the same behavior (with access rules in place) .. the patch works for me

I think this is a duplicate of #332703: Username is validated against email access rules (and vice versa) for new password requests

There's a good explanation of the problem there - and the patch looks good to me.

On my site, "request new password" emails are not being sent for both usernames without spaces and email addresses even though the message on the site reads "Further instructions have been sent to your e-mail address." When I checked a username with spaces, it did work fine. I checked the other issue in #14 and it doesn't seem to apply, but maybe I'm wrong. In any case, I'm getting this in core 6.19 which came out after that issue was closed.

I agree this is a duplicate of #332703. Since you are not seeing the "not allowed to request a new password" message, it would seem you have an unrelated problem with mail delivery.