If the tfa and tfa_basic modules are in use on a site alongside the legal module and tfa is enabled for a role and a user with that role who has already set up their tfa access tries to reset their password they will receive an access denied error on a password reset instead of being prompted for their tfa code after agreeing to the Terms & Conditions from legal.

This issue seems to be closely related to: https://www.drupal.org/project/legal/issues/1644018 but I am unsure how to fix that issue for the time being and am proposing a work around for this specific use case: the option to bypass the Terms & Conditions displayed from legal on password resets.

CommentFileSizeAuthor
#4 legal-password-reset-bypass-2984965-4.patch3.09 KBjaydarnell
#3 legal-password-reset-bypass-2984965-3.patch2.93 KBjaydarnell

Comments

JayDarnell created an issue. See original summary.

jaydarnell’s picture

jaydarnell
he/him
Primary language English
Location Guelph, Ontario
commented
Issue summary: View changes
jaydarnell’s picture

jaydarnell
he/him
Primary language English
Location Guelph, Ontario
commented
StatusFileSize
new legal-password-reset-bypass-2984965-3.patch2.93 KB

Potential patch to bypass legal Terms and Conditions for password resets:

jaydarnell’s picture

jaydarnell
he/him
Primary language English
Location Guelph, Ontario
commented
StatusFileSize
new legal-password-reset-bypass-2984965-4.patch3.09 KB

Fixed an issue: missing strict comparison and moved logic for password reset bypass into a separate function for readability:

swirt’s picture

swirt
he/him
Primary language English
commented
Status: Active » Needs review
avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Version: 7.x-1.10 » 7.x-1.x-dev
helmo’s picture

helmo commented
Status: Needs review » Reviewed & tested by the community

Thanks, this patch worked just great.