- ๐ฎ๐ณIndia sharma.amitt16 Delhi
Thanks @deivamagalhaes for raising this issue. This is a very good feature and is required multiple times.
I tried patch #20, which is not applicable anymore on Drupal 10.1.0-dev. Creating a new patch along with schema and test case fixes. - Status changed to Needs review
over 1 year ago 6:57am 11 May 2023 - last update
over 1 year ago 29,381 pass, 2 fail The last submitted patch, 43: Provide-option-to-disable-password-recovery-by-e-mail-2356655-43.patch, failed testing. View results โ
- last update
over 1 year ago Composer error. Unable to continue. - Status changed to Needs work
over 1 year ago 10:33pm 11 May 2023 - ๐บ๐ธUnited States smustgrave
New setting will need a change record + upgrade path
- Status changed to Needs review
over 1 year ago 4:41am 12 May 2023 - ๐ฎ๐ณIndia sharma.amitt16 Delhi
@smustgrave โ added the change record at https://www.drupal.org/node/3359827 โ .
- Status changed to Needs work
over 1 year ago 1:00pm 12 May 2023 - Status changed to Needs review
over 1 year ago 2:22pm 12 May 2023 - ๐ฎ๐ณIndia sharma.amitt16 Delhi
@smustgrave added the upgrade details in the change record.
Please review. - Status changed to Needs work
over 1 year ago 2:25pm 12 May 2023 - ๐บ๐ธUnited States smustgrave
Upgrade path in code.
If adding a new setting is going to change the configuration it will need an upgrade hook.
- Status changed to Needs review
over 1 year ago 4:58am 15 May 2023 22:59 38:45 Running- ๐ฎ๐ณIndia sharma.amitt16 Delhi
@smustsgrave upgrade path for disable reset password is added along with test. Please review.
The last submitted patch, 52: Provide-option-to-disable-password-recovery-by-e-mail-2356655-52.patch, failed testing. View results โ
- last update
over 1 year ago 29,389 pass - ๐ฎ๐ณIndia sharma.amitt16 Delhi
Fix added for the test case failure.
RCA:
The order of the new config is not consistent in all the configs, hence showing the difference between the actual config and the imported config. - Status changed to Needs work
over 1 year ago 7:15pm 17 May 2023 - ๐บ๐ธUnited States smustgrave
Can the update hook be updated please. Had to double check but it should be 101011
- ๐ช๐ธSpain penyaskito Seville ๐, Spain ๐ช๐ธ, UTC+2 ๐ช๐บ
I don't think we should do this.
OP says:
> When using an external authentication system (such as LDAP) it is reasonable that system administrators would like to disable password recovery feature, since Drupal is not handling or storing user's passwords.
Then IMHO it's whatever authentication module you are using responsability. If we think this is a quite often needed feature with several authentication methods, then a separate contrib module those would depend on should be created.
- ๐จ๐ญSwitzerland ayalon
I think we should implement this feature.
During a Pentest review I was made aware of the fact, that the password reset mechanism is insecure.
The issue is, that if you click on the password reset link, you are automatically logged in. You don't need to change the password at all, you get a valid session.If an attacker gets access to a mailbox, the attacker can use the "Password reset" feature to log in to the vicitims account without changing the password. This is very handy as the victim will not realize, that his account has been hacked. If the password is changed, at least he would realize that something happend.
Therefore, I like to option to disable the password reset mechanism.
- Status changed to RTBC
5 months ago 10:42am 10 July 2024 - ๐จ๐ญSwitzerland ayalon
I have updated the patch to work with later Drupal version > 10.2.
I have tested it and reviewed the code.
- Status changed to Needs work
5 months ago 10:46am 10 July 2024 The Needs Review Queue Bot โ tested this issue.
While you are making the above changes, we recommend that you convert this patch to a merge request โ . Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)
- ๐จ๐ญSwitzerland martinpe
Adding updated patch which works with Drupal 10.3
- ๐บ๐ฆUkraine id.aleks
Hello. The UserLoginForm.php displays the
Forgot your password?
link when an unrecognized username or password is entered. We need to hide this link if thedisable_reset_password
option is enabled. - ๐บ๐ฆUkraine id.aleks
Additionally, the
disable_reset_password
checkbox in theAccountSettingsForm
states that it removes access to password reset page for anonymous users only. However, theDisableResetPassword access check
currently only verifies thedisable_reset_password
option. It seems this should be addressed as well.