Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem Description
Currently this module assumes that any user that would need to force password changes can do so globally on all user accounts. There are some usecases where a site will delegate user management to non-administrative users via modules such as administerusersbyrole.
In this scenario, you would not want to grant these lower privilege users the "administer force password change" permission as that may allow a lower privileged user to force an administrative user to change their password.
Proposed Solution
- Create a separate permission for forcing password changes on the user edit screen.
- Modify the hook_form_alter() implementation in the .module file to allow triggering a password change if the current user has either permission.
- Add an action plugin to allow bulk triggering password changes on multiple user accounts.
Patch will be submitted shortly to support this.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | force_password_change-2876763-3.patch | 5.35 KB | shawn_smiley |
Comments
Comment #2
shawn_smiley CreditAttribution: shawn_smiley at Achieve Internet commentedInitial patch attached. It still needs unit/functional tests though.
Comment #3
shawn_smiley CreditAttribution: shawn_smiley at Achieve Internet commentedSorry, got a bit ahead of myself with the patch. Had a dependency error in patch #2. This patch fixes that issue.
Comment #4
shawn_smiley CreditAttribution: shawn_smiley at Achieve Internet commentedComment #5
adr_p CreditAttribution: adr_p commentedThe patch still applies and works after all this time.