Why are first time registrants getting the message, “Your current password is missing or incorrect; it's required to change the Password” when they DO NOT have a "current password" to be "missing or incorrect?"

Example:

1. Visitor comes to site
2. Visitor Pushes “Create new account” Button
3. Visitor directed to: user/register page
4. Visitor enters Username *
5. Visitor enters E-mail address *
6. Visitor hits submit/enter
7. Visitor gets the “A welcome message with further instructions has been sent to your e-mail address.”
8. Visitor goes to check email and finds the following:

“Thank you for registering at ….
You may now log in by clicking this link or copying and pasting it to your browser:
www.site/user/reset/a string of numbers and letters.. blah blah blah

This link can only be used once to log in and will lead you to a page where
you can set your password.”

9. Visitor/user clicks link and is taken to:

Reset password
This is a one-time login for …and will expire on …..
Click on this button to log in to the site and change your password.
This login can be used only once.

10. Visitor/user clicks the login button
11. Visitor/user goes to edit and see the following fields:

Username *
Current password
E-mail address *
Password
Confirm password

12. Visitor/user enters info information in the following fields to set up his password for the first time (because he doesn’t have a “current password” to enter):

Password: Blaggh123& Password strong
Confirm password Blah123& Passwords match: yes

13. Visitor clicks the “Press Save” button.
14. Visitor/user gets the following message:

“Your current password is missing or incorrect; it's required to change the Password.”
Also, the “Current password” field is highlighted in red

15. The visitor/user is annoyed because they don’t have a “Current password”

So 2 questions:
1. Why are first time registrants getting the message, “Your current password is missing or incorrect; it's required to change the Password” when they DO NOT have a "current password" to be "missing or incorrect?"
2. What needs to be done now to stop it from happening again?

Comments

stevenpatz’s picture

stevenpatz
he/him
commented
Category: bug » support
Priority: Critical » Normal
JvE’s picture

JvE commented
Version: 7.15 » 7.x-dev
Status: Active » Closed (works as designed)

The login link from step 10 will direct the user to the url user/uid/edit?pass-reset-token=...
this pass-reset-token allows a new password to be entered without entering the current password.

So if you have *any* module, action, rule or trigger that sends the user elsewhere on login (after step 10) then the pass-reset-token may get lost beofe the user ends up on the user/uid/edit page (step 11) again.

ressa’s picture

ressa
he/him
commented

Thanks @JvE
I had a rule which redirected people to their account ("/user") upon login, which meant they were taken away from the page with the reset-pass-token, so they couldn't reset their passwords. Deactivating the rule fixed the issue.

matt.rad’s picture

matt.rad commented

Thanks JvE for posting the solution. I was experiencing the same issue for the same reason.