diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc
index 7d40663..f77bc16 100644
--- a/modules/user/user.pages.inc
+++ b/modules/user/user.pages.inc
@@ -98,7 +98,16 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
if ($user->uid) {
// The existing user is already logged in.
if ($user->uid == $uid) {
- drupal_set_message(t('You are logged in as %user. Change your password.', array('%user' => $user->name, '!user_edit' => url("user/$user->uid/edit"))));
+ // The user is already logged in, but is shown a message inviting them to
+ // change their password, since that may be their intent. Let the user's
+ // password be changed without the current password check, as even though
+ // they are logged in, they may not know it.
+ $token = drupal_random_key();
+ $_SESSION['pass_reset_' . $user->uid] = $token;
+ drupal_set_message(t('You are logged in as %user. Change your password.', array(
+ '%user' => $user->name,
+ '!user_edit' => url("user/$user->uid/edit", array('query' => array('pass-reset-token' => $token))),
+ )));
}
// A different user is already logged in on the computer.
else {