Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
When the user is logged in and he tries to reset its password we should completely deny the access to /user/password route when the following conditions are met:
- The user account is linked to a CAS account.
restrict_password_managementisTRUE.
Proposed resolution
The solution could be borrowed from https://github.com/openeuropa/oe_authentication. See the oe_authentication.external_user_access_checker service and relevant code in src/Routing/RouteSubscriber.php.
Remaining tasks
None.
User interface changes
When restrict_password_management is TRUE, logged in CAS user will be denied when they try to access /user/password.
API changes
None.
Data model changes
None.
Release notes snippet
N/A
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | 3075110-3.patch | 13.65 KB | claudiu.cristea |
Comments
Comment #2
claudiu.cristeaBasically the
CasAdminSettingsTesthas tested the password reset so I renamed the testing class.Comment #3
claudiu.cristeaA better naming for the access checker service.
Comment #4
bkosborneThis looks great, thank you for the great patch and tests! I'm surprised that Drupal doesn't restrict /user/password for authenticated users already, since the password form is already on the main user edit form.