When someone gets a 403 error, sends a password reset, and logs in with the "forgot my password" password reset one-time login link, they are taken directly to the page on which they initially got access denied— no chance to change their password.
Drupal meanwhile loses the password reset token from the query parameter, and so when the user does go to their account page to change their password, they are asked to enter their old password to set a new one— which is rather inconvenient when they have forgotten their old password, which is why they used the password reset link in the first place.
Comments
Comment #1
mlncn commentedThis patch solves this issue. In the process:
It seems solid at always getting the user back to the page access denied was encountered on after logging in, while letting users who use the password reset one-time login link go to their account page to reset their password first. Tested to ensure the issue solved (in 7.x) in #825860: Logging in on 403 page does not work isn't reintroduced.
Comment #2
mlncn commentedComment #4
gisleThanks for the patch mlncn!
I've tested it, and it looks fine. It has been committed to the 7.x-1.x-dev branch.
I'd prefer that a third person tests it and gives it the status RTBC before pushing it in a regular release.
Comment #5
gisleReviewed in #1007200: Password reset procedure no longer works when installed + activated.
Comment #6
gisleFixed in release 7.x-1.3.