If you set a roles expiration time to "0" in the Force Password Change config, you are still required to change your password and you have to do it at every login.

Looks like it's a bug in the ForcePasswordChangeService::checkForForce() method.

When the method is checking if the user's password has expired we're missing parenthesis causing the condition to be parsed as:

if (($expiry && $expiration_condition) || $expiration_condition2)

The second expiration condition is just current request time - $expiry (0) > account creation time. Which is always going to return true (except the immediate login after account creation).

Instead, the condition should be:

if ($expiry && ($expiration_condition || $expiration_condition2)) so roles with a "0" expiration time can never expire.

Patch to follow.

CommentFileSizeAuthor
#6 force_password_change-2884243-7.x-2.x-3.patch892 bytesqudec
#2 force_password_change-2884243-2.patch2.98 KBmarcaddeo
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

marcaddeo created an issue. See original summary.

marcaddeo’s picture

marcaddeo CreditAttribution: marcaddeo commented
FileSize
force_password_change-2884243-2.patch2.98 KB
marcaddeo’s picture

marcaddeo CreditAttribution: marcaddeo commented
Status: Active » Needs review
J-Lee’s picture

J-Lee
he/him
Primary language German
Location 🇩🇪🇪🇺
CreditAttribution: J-Lee commented
Status: Needs review » Reviewed & tested by the community

This issue breaks the user account notification and password reset on-time links. The user can't change the password because the current password field appears because a password change is forced.

Patch looks good for me. Thank you.

johnpicozzi’s picture

johnpicozzi
Primary language English
Location Providence, RI
CreditAttribution: johnpicozzi at Oomph, Inc. commented

@Jaypan Can we get this merged in?

qudec’s picture

qudec CreditAttribution: qudec as a volunteer and at Smile commented
FileSize
force_password_change-2884243-7.x-2.x-3.patch892 bytes

Adding equivalent patch for 7.x-2.x module's version.

davidacardona’s picture

davidacardona CreditAttribution: davidacardona commented

Hi, i have been having this issue too. When an autenticated user (not only admins) tries to update their password, the system asks again and again to set a new password, making the site unusable. Pleaseee. i need help with this!

larisse’s picture

larisse CreditAttribution: larisse at CI&T commented
Version: 8.x-1.x-dev » 2.0.x-dev

This still a problem in 2.0.x version?

larisse’s picture

larisse CreditAttribution: larisse at CI&T commented
Status: Reviewed & tested by the community » Needs review
dtfabio’s picture

dtfabio CreditAttribution: dtfabio at Calibrate commented
Status: Needs review » Reviewed & tested by the community

I have tested it after installing the 2.0.0 module and the bug no longer occurs.