Reset Password link is not working

Hi,

I created 1 patch for it.

I see this problem too.

The above patch does solve the issue, but the code contains other issues that cause more crashes. For example, the `$this->userStorage` property is called, but that property is never set so the page crashes if the user reaches that code.

I wonder if a better approach might be to decorate or extend the original UserController here? Most of the code in the ShyController is using code from that controller and that would mean that the ShyController only needs to reject the request or call the parent UserController resetPass action.

I'll give this a go.

Created an MR with the proposed change.

Marking as ready for review.

@philipnorton42 Thank you for the patch, however, this one leverages the primary mechanic. Initially, when the module was still an alpha version, the UserController class was also extended. However, this is not allowed to happen, as a team member from the security team informed me at the time. Attached is his explanation from back then.

As Drupal 8 and 9 backwards compatibility and internal API policy (backend) → says, database schema for core modules, HTTP headers, automated test classes, controller and form classes, plugins, entity handlers, parameter converters, access checkers, event subscribers, and hook implementations should always be treated as internal.
For classes, this means they cannot be extended from a class implemented by contributed code, except in the case of base classes like the ConfigBase class. For hooks, it means contributed code cannot call a hook implemented by a Drupal core module directly.

That's interesting, thanks for the update @zcht.

In that case there are two options:
- We copy and paste the entire codebase from the UserController module into the ShyController controller.
- We select another mechanism to perform this check. I'm thinking that instead of using the controller to return an access denied we do this through an event listener.

I was looking at event listeners the other day and one to perform this action should be pretty simple to write (I think!).

I'll revert that code and have another go at it.

Hi @zcht,

I have updated the MR with an event subscriber approach to this issue. As this removes the need for the ShyController I have removed that from the codebase.

I have never used the passwordless login module before, but I'm assuming that these changes would also negate the need for that controller. I've left it alone for now, but I'd be interested to hear what you think.

Thanks @philipnorton42, yes find the approach also good and more generic it is too. I'm so happy to take over the patch and make a new release right away. Thanks for the work.

I know this is closed, but I just wanted to thank you very much for releasing a new version of the module so quickly. I really appreciate it.

no problem and gladly, thank you for the work and support of the project. :)