Provide option to disable password recovery by e-mail

Thanks @deivamagalhaes for raising this issue. This is a very good feature and is required multiple times.
I tried patch #20, which is not applicable anymore on Drupal 10.1.0-dev. Creating a new patch along with schema and test case fixes.

The last submitted patch, 43: Provide-option-to-disable-password-recovery-by-e-mail-2356655-43.patch, failed testing. View results →

Added fix for site maintenance test.

New setting will need a change record + upgrade path

@smustgrave → added the change record at https://www.drupal.org/node/3359827 → .

Don’t see an upgrade path

@smustgrave added the upgrade details in the change record.
Please review.

Upgrade path in code.

If adding a new setting is going to change the configuration it will need an upgrade hook.

@smustsgrave upgrade path for disable reset password is added along with test. Please review.

The last submitted patch, 52: Provide-option-to-disable-password-recovery-by-e-mail-2356655-52.patch, failed testing. View results →

Fix added for the test case failure.

RCA:
The order of the new config is not consistent in all the configs, hence showing the difference between the actual config and the imported config.

Can the update hook be updated please. Had to double check but it should be 101011

I don't think we should do this.

OP says:

> When using an external authentication system (such as LDAP) it is reasonable that system administrators would like to disable password recovery feature, since Drupal is not handling or storing user's passwords.

Then IMHO it's whatever authentication module you are using responsability. If we think this is a quite often needed feature with several authentication methods, then a separate contrib module those would depend on should be created.

I think we should implement this feature.

During a Pentest review I was made aware of the fact, that the password reset mechanism is insecure.
The issue is, that if you click on the password reset link, you are automatically logged in. You don't need to change the password at all, you get a valid session.

If an attacker gets access to a mailbox, the attacker can use the "Password reset" feature to log in to the vicitims account without changing the password. This is very handy as the victim will not realize, that his account has been hacked. If the password is changed, at least he would realize that something happend.

Therefore, I like to option to disable the password reset mechanism.

I have updated the patch to work with later Drupal version > 10.2.

I have tested it and reviewed the code.

The Needs Review Queue Bot → tested this issue.

While you are making the above changes, we recommend that you convert this patch to a merge request → . Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

Adding updated patch which works with Drupal 10.3

Hello. The UserLoginForm.php displays the Forgot your password? link when an unrecognized username or password is entered. We need to hide this link if the disable_reset_password option is enabled.

Additionally, the disable_reset_password checkbox in the AccountSettingsForm states that it removes access to password reset page for anonymous users only. However, the DisableResetPassword access check currently only verifies the disable_reset_password option. It seems this should be addressed as well.