Updated: Comment #1

Problem/Motivation

When users use the one-time-login link, they are automatically logged in and redirected to the profile form. The user isn't required to change it's password, but it's suggested to do so. Thus users are automatically logged in without changing their password.

Proposed resolution

This module adds a password field to the user_pass_reset form where users are required to set their password, before automatically logged in.

Remaining tasks

No remaining tasks.

User interface changes

Only an password field to the user_pass_reset form. See project page for a printscreen.

API changes

No API changes.

Comments

PA robot’s picture

PA robot commented

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

NerOcrO’s picture

NerOcrO commented
Status: Active » Needs work

Hello,

Thank you for contributing.

It should say: git clone --branch master http://git.drupal.org/sandbox/wbressers/2159381.git one_time_login_password

Otherwise, this module is ok for me.

NerOcrO

Anonymous’s picture

Anonymous (not verified) commented
Issue summary: View changes
Status: Needs work » Needs review

Hi, Thanks for reviewing.

NerOcrO’s picture

NerOcrO commented

Yes, indeed, my bad :)

rudiedirkx’s picture

rudiedirkx commented

Fantastic idea! And I see an admin can still use drush uli to log in as another user, so that's good.

I have one question. I didn't look at the code very long. What does

$_SESSION['pass_reset_' . $account->uid]

do? Is it being used in user_profile_form_submit() or user_login_finalize()?

Anonymous’s picture

Anonymous (not verified) commented

My intent was to make as much use of the core code as possible.

In the Core code the user has the following workflow:

  1. User: uses the one time login link
  2. User: is redirected to pass_reset_form > User: clicks at log in
  3. User: is redirected to profile edit form with the pass-reset-token (the token in the drupal_goto and SESSION)
  4. User: changes password > submits (profile_form_submit) > finalizes login process (user_login_finalize)

I've added only a pass form element to the pass_reset_form, and in the submit function i've added the user account to the form_state. Now i can handle the form (like a regular user profile form submit) and the users (password) is updated.

The 

$_SESSION['pass_reset_' . $account->uid]

is set because the user_profile_form_submit function expects this when the user_category and pass form fields are set.

function user_profile_form_submit($form, &$form_state) {
...
  if ($category == 'account' && !empty($edit['pass'])) {
    // Remove the password reset tag since a new password was saved.
    unset($_SESSION['pass_reset_'. $account->uid]);
  }
 ...
}
gobinathm’s picture

gobinathm
he/him
Primary language English
Location Milton, Ontario
commented
Status: Needs review » Postponed (maintainer needs more info)

Force Password Change module seems to do most of these, why don't you work with that module maintainer. In-fact there is a feature request submitted on the issue queue to include this functionality.

Looks like this functionality should be incorporated in the existing Force Password Change module. As you are aware our Drupal community strongly believe Collaboration rather than competition. Please work with the existing module maintainer, provide patch for the existing issue. Apart from this you can also get in touch with the maintainer(s) & see how to incorporate this feature in that module.

as a druplar i request you to work & update the existing Force Password Change module and not creating another module for doing the same functionality.
Anonymous’s picture

Anonymous (not verified) commented
Status: Postponed (maintainer needs more info) » Needs review

From a site maintainer / editor perspective
You'll have a valid point, and i'll look into that.

From (my) a developer perspective
I only need the password field on pass_reset_form for my projects. My clients don't want to bother their clients with forcing occasionally to update the passwords. If i deliver a site and import the user database, i'll send a one-time-login mail to all the users and thats it.

So for that reason i'll suggest to have best of both. A separate module and an integration / implementation with other modules.

spadxiii’s picture

spadxiii commented

Cool little module that does what it says and nothing more. It adds the password-fields to the page you get linked to when resetting your password and forces you to set a new password.

I just installed it in my own site and it works fine. Code looks good.

Regarding gobinathm's comment; I don't think this module is competition for Force Password Change. It only offers a tiny bit of functionality currently not found there. Sure, this could be incorporated into that module, but then I would probably still keep this little module alive. Why install a big(ger) module when a tiny one does the job you need?

heddn’s picture

heddn
Primary language English
Location Nicaragua
commented
Status: Needs review » Needs work 
function one_time_login_password_menu_alter(&$items) {
  $items['user/reset/%/%/%']['page arguments'][0] = 'one_time_login_password_user_pass_reset';
  unset($items['user/reset/%/%/%']['file']);
}

This won't play nicely if someone already has an alter on the menu. Perhaps replace with this or something similar.
$items['user/reset/%/%/%']['page arguments'][] = 'one_time_login_password_user_pass_reset';

PA robot’s picture

PA robot commented
Status: Needs work » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

spadxiii’s picture

spadxiii commented
Status: Closed (won't fix) » Reviewed & tested by the community

@heddn your solution will not work; the page callback is drupal_get_form which expects argument 0 to be the form name.

Marking this as RBTC so someone can convert this into a module (just like was done with my module: https://www.drupal.org/node/2154791#comment-8681831).

heddn’s picture

heddn
Primary language English
Location Nicaragua
commented

Then use array_unshift. But don't replace the first position on the submit handlers, unless there is good reason.

spadxiii’s picture

spadxiii commented

Where do you see it's replacing submit-handlers ?

The menu_alter is replaceing the first argument that's being sent to drupal_get_form. No way around it. Using array_unshift will mess things up more (the original first argument will be used as $form??)

kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented

You've listed Simple Password Reset as a similar module, but it seems to provide exactly the same functionality. Can you explain the difference?

The menu_alter hook looks fine, as SpadXIII points out its modifying the page arguments, not submit handlers.

The code is pretty short, but we no longer require that to pass an application. Additionally the applicant has many larger commits on other projects that show good use of the Drupal API.

kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Status: Reviewed & tested by the community » Postponed (maintainer needs more info)
Anonymous’s picture

Anonymous (not verified) commented

The Simple Password Reset achieves the same goal with a different approach.

The Simple Password Reset loads the user profile form on the user_pass_reset form and alters the profile form on this page. The One time login password is much smaller because it relies more on the Drupal core. It adds an required pass field to the form on the same manner as the profile form and on submissions the user profile is updated.

PA robot’s picture

PA robot commented
Status: Postponed (maintainer needs more info) » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.