Password policy should ignore the current password when attempting to reset the password

Created on 27 March 2025, about 1 month ago

Problem/Motivation

After enabling the password policy module, if I login with an account that has the same password as the username and attempt to change the password, the form validation checks the current password and fails with the message below:
Fail - Password must not contain the username.

Steps to reproduce

Create an account with the same password as the username. Enable and configure the password policy module(s) and be sure to enable the rule "Password must not contain the user's username". Login with the new account and visit the Change Password form and attempt to change the password.

Proposed resolution

Ignore the current password field when validating the form so the user can change to a valid password that passes all the policy rules.

🐛 Bug report

Status

Active

Version

4.0

Component

User interface

Created by

🇺🇸United States uberhacker

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @uberhacker
Comment 17 days ago →
dhruv.mittal
Comment 16 days ago →
dhruv.mittal
I've tried to reproduce the issue with the given steps to reproduce but couldn't able to do so.
So unassigned myself for more info

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024