If you set a roles expiration time to "0" in the Force Password Change config, you are still required to change your password and you have to do it at every login.
Looks like it's a bug in the ForcePasswordChangeService::checkForForce()
method.
When the method is checking if the user's password has expired we're missing parenthesis causing the condition to be parsed as:
if (($expiry && $expiration_condition) || $expiration_condition2)
The second expiration condition is just current request time - $expiry (0) > account creation time. Which is always going to return true (except the immediate login after account creation).
Instead, the condition should be:
if ($expiry && ($expiration_condition || $expiration_condition2))
so roles with a "0" expiration time can never expire.
Patch to follow.
Comment | File | Size | Author |
---|---|---|---|
#6 | force_password_change-2884243-7.x-2.x-3.patch | 892 bytes | qudec |
#2 | force_password_change-2884243-2.patch | 2.98 KB | marcaddeo |
Comments
Comment #2
marcaddeo CreditAttribution: marcaddeo commentedComment #3
marcaddeo CreditAttribution: marcaddeo commentedComment #4
J-LeeThis issue breaks the user account notification and password reset on-time links. The user can't change the password because the current password field appears because a password change is forced.
Patch looks good for me. Thank you.
Comment #5
johnpicozzi@Jaypan Can we get this merged in?
Comment #6
qudec CreditAttribution: qudec as a volunteer and at Smile commentedAdding equivalent patch for 7.x-2.x module's version.
Comment #7
davidacardona CreditAttribution: davidacardona commentedHi, i have been having this issue too. When an autenticated user (not only admins) tries to update their password, the system asks again and again to set a new password, making the site unusable. Pleaseee. i need help with this!
Comment #8
larisse CreditAttribution: larisse at CI&T commentedThis still a problem in 2.0.x version?
Comment #9
larisse CreditAttribution: larisse at CI&T commentedComment #10
dtfabio CreditAttribution: dtfabio at Calibrate commentedI have tested it after installing the 2.0.0 module and the bug no longer occurs.