- Issue created by @manuel.adan
- @manueladan opened merge request.
- Issue was unassigned.
- Status changed to Needs review
almost 2 years ago 11:30am 2 May 2023 - Status changed to Needs work
almost 2 years ago 12:49pm 2 May 2023 - First commit to issue fork.
- Merge request !11499Check access to the reset password page in login warning β (Open) created by dcam
- πΊπΈUnited States dcam
I rebased the old MR for 11.x and added a test.
- πΊπΈUnited States smustgrave
UI section should actually contain before/after screenshots.
Leaving as a bug but not 100% sure, tagging for framework manager sign off too.
Feel if this is a desired feature there probably should be a config option.
- πΊπΈUnited States dcam
Added screenshots.
I implemented the autoconfigure option in the services file.
- πΊπΈUnited States smustgrave
For what it's worth I may be -1 for this, and think it would be a feature request and probably a new configuration setting for accounts
- πΊπΈUnited States dcam
This issue isn't particularly important to me; I'm just writing tests for issues that need tests. But for what it's worth I think it's strange idea to have a configuration setting that effectively asks admins "Do you want to prevent a link from being displayed that may lead to a 403 error page depending on your site's configuration?"
If it must be configurable, then it may be better to build the capability to turn off the password reset page directly into Core instead. That way we're checking a more well-defined feature, not building configuration whose function is difficult to articulate why an admin would want to use it.
- πΊπΈUnited States dcam
While I might not care about this issue as stated (where the standard login form is used, but for some reason the password reset page must be disabled) being able to disable the password reset page with Core functionality is of interest to me. We use an external authentication provider at work. Since we bypass Drupal's basic auth, I had to build a small custom module to turn off the password reset route so no one tries to use it. There are contrib modules out there that do similar things, but none of them did exactly what I wanted. So this is a pretty common need for people using external auth.
- πΊπΈUnited States smustgrave
Then shouldn't a configuration setting under Account settings make that easier. So you can just set it without any contrib module having to do it for you.
- πΊπΈUnited States dcam
Yes, that's what I'm saying. But that isn't the original reason for this issue. A maintainer would need to weigh in and determine whether the issue should be refocused to do that.
- π¬π§United Kingdom catch
I think it's fine to check access on the link before showing it in this case. We do this even in some help text pages, and for a visitor-facing string it makes even more sense. Untagging for framework manager review. Replied to one thread on the MR but don't have a strong opinion either way.
I think it's worth a follow-up issue to add a config option for the password reset page under user settings, but that could still conditionally set access on the route, so it still makes sense to check route access before displaying the link IMO - e.g. we wouldn't necessarily have to change this code, except to drop some test module code and use the user config instead.