If I specify both Force password change on reset and a separate password tab, I have to enter two different passwords.
Steps:
As admin:
1. On /admin/config/people/password_policy check Force password change on reset
2. Create a rule that the last [n] passwords cannot be reused
3. Enable Password Tab module if not enabled
As user:
4. Go to /user/password
5. Enter user name
6. Click E-mail new password
7. When you get the new password link, click it or copy and paste it into the browser.
8. Enter your new password twice.
9. Click Save
Actual result: Still on password tab
Expected result: Redirect to user page
10. Click View tab
Actual result: Error: Your password has expired. You must change your password to proceed on the site.
Expected result: Go to View tab
11. Re-enter the password you entered in step 9
12. Click Save
Actual result: Error: Your password has the following requirement(s): Password must not match last [n] passwords.
Expected result: Password saved (actually not - I didn't expect to be here)
13. Enter a *new* new password.
Actual and expected result: Redirect to user page
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | password_policy-7.x-1.x-fix_password_tab_force_change_on_reset-2386699-2.patch | 766 bytes | aohrvetpv |
Comments
Comment #1
aohrvetpv commentedThis patch should fix the bug. Please test.
The patch changes the password tab form submit handler to unset the
pass_reset_*session variable, as is normally done by the user profile form submit handler when the password is changed on the user profile form (i.e., on theuser/*/editpage). This preventspassword_policy_drupal_goto_alter()from again forcing a password change after the password has been changed.Comment #3
aohrvetpv commentedComment #4
aohrvetpv commentedThe "Force password change on reset" feature does not exist in 6.x-1.x. The password tab feature does not exist in 7.x-2.x. So I think this is fixed in all active branches.