Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
The Password Policy module will not validate passwords set on Simple Password Reset page if Drupal is configured to require email validation.
Steps to reproduce
1. Install the simple_pass_reset module (https://www.drupal.org/project/simple_pass_reset)
2. Install password policy
3. Go to /admin/config/people/accounts and enable Require email verification when a visitor creates an account
4. Log out and go through the password reset process
5. Enter a password that violates the password policy
The password will be accepted because PasswordPolicyValidationManager::validationShouldRun return early.
Proposed resolution
Check the current route in PasswordPolicyValidationManager to see if we're on the password reset page before returning early.
Remaining tasks
N/A
User interface changes
N/A
API changes
N/A
Data model changes
N/A
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | Screenshot from 2022-11-01 15-33-01.png | 52.35 KB | gabrieldv |
| #2 | password_policy-simple_pass_reset_compatibility-3312100-2.patch | 3.07 KB | mediabounds |
Comments
Comment #2
mediabounds commentedComment #3
gabrieldv commentedI'll be reviewing it, thanks for the patch @mediabounds
Comment #4
gabrieldv commentedTested the #2 patch and it seems to be working to me, i also runned the automated tests and didn't break anything. Moving it to RTBC.
Comment #5
paulocsThanks!
Comment #7
paulocs