Contrib.social

Reset password form can still be accessed

Open on Drupal.org →
Created on 9 July 2025, 7 days ago

This was originally reported as a private security issue, but has been approved for handling the public queue by the Drupal Security Team.

Problem/Motivation

This module removes the "Reset your password" link on the login page but the reset password form can still be accessed by browsing to /user/password.

I'm not entirely sure if this is intentional or not but the module description says that it will "enhance security by limiting password reset options" which is not true right now.

Also it seems the "Reset your password" link is not removed from /user/register.

Steps to reproduce

1. Enable the module
2. Browse to /admin/config/people/reset-password-form-settings and enable 'Remove "Reset your password" from local tab for anonymous user.'
3. As an anonymous user browse to /user/password

Proposed resolution

The module should probably restrict the access to the page or at least make it clear in its description that the page can still be accessed.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024