If a user has forgotten their password and use the link to send out a temp login url, they are asked to confirm their old password.

Comments

dave reid’s picture

I'm not sure how to hide this. I can't find anything specific I can use to hide on registration.

crea’s picture

Subscribing..

aequor’s picture

Subscribing

fizk’s picture

I've created a custom way of handling this for my site. If anyone's interested, I can post it.

fizk’s picture

StatusFileSize
new2.01 KB
new4.95 KB

Two patches are included:

password_change-6.x-1.0-beta1.patch: Patch against 6x. 1.0 beta1

user.pages_.inc_.patch: Patch against core (modules/user/user.pages.inc)

fizk’s picture

Here's what the patch does:

- create a "Change password" fieldset under the user account edit page.

- upon password reset confirmation (following the link in your password reset email), the user is presented with a password change confirmation screen.

dave reid’s picture

Status: Active » Fixed

Found a way to do this and committed it to CVS! Thanks everyone!
http://drupal.org/cvs?commit=301660

fizk’s picture

Is password_change_form_user_pass_reset_alter() called even if the user enters an incorrect timestamp or hashed password in the reset url?

dave reid’s picture

I was pretty sure that it didn't. Basically all the logic in user_pass_reset performs drupal_gotos() which end execution and hence stops any form_alter() hooks to execute. Did a manual test of trying to hack the reset URL and as expected, did not add the flag cookie.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

weka’s picture

Status: Closed (fixed) » Active

Password change confirm 6.x-1.0 is displaying the "Your current password:" field on the edit form for users who just logged in using the one-time login.

This would not be too bad of a problem except the password sent in the welcome e-mail is not validating and user receives the "Incorrect current password." error when entering the password received in the e-mail.

YK85’s picture

Version: 7.x-1.x-dev » 6.x-1.x-dev

I see this issue is for 7.x-1.x-dev
I was wondering if this problem still exists in 6.x-1.x-dev as indicated by Weka in #11

Also, what happens to the "Your current password:" field when you log in with the one-time login (forgotten password) and need to change your password?

Thank you!

dave reid’s picture

Status: Active » Fixed

Using the latest 6.x-1.x I can't confirm there is any problem. I was able to use the reset password link just fine.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.