billy.davies β created an issue.
Steps to reproduce as follows:
1. Install the module and create a password policy.
2. Modify the User Profile form display settings (via /admin/config/people/accounts/form-display) to include the "Password Expiration" field.
3. Create a user role that does not have the "Manage password reset" permission.
4. Create a new user with the role you just created.
5. Use the "Force Password Reset" functionality (via /admin/config/security/password-policy/reset) to expire the passwords of all users with the new role.
6. Login as the new user you created and you are directed to reset your password.
7. Reset your password following the password policy rules. This will show a confirmation message that the password was successfully updated.
8. Browse to any page (or refresh the current page) and you will be sent back to the "Your password has expired" workflow.
As identified in #10 this is because the password reset related fields are present in the edit user form but the user without the "Manage password reset" permission does not have permission to use them. Merge request https://git.drupalcode.org/project/password_policy/-/merge_requests/58 works around this by hiding the fields, but as identified in #13 users could manipulate the fields when they shouldn't be able to. I've created a merge request that removes the fields from the form if a user doesn't have the "Manage password reset" permission to resolve the issue whilst maintaining security.
billy.davies β made their first commit to this issueβs fork.