Problem/Motivation

Trying to log in to the site via a password reset e-mail fails. It simply redirects back to the login page.

Steps to reproduce

  1. Enter username at `/user/password` page
  2. Click link in e-mail

Proposed resolution

Add the user.reset route to the list of protected routes, in addition to user.reset.login.

I can see that Drush prefers the `user.reset.login` route, but e-mail links generated through the [user:one-time-login-url] token via user_pass_reset_url() all use user.reset instead.

CommentFileSizeAuthor
#3 3333943-3.require_login.Cannot-log-in-via-link-in-welcome--password-reset-emails.patch420 bytesgrahamc
#2 3333943-2.require_login.Cannot-log-in-via-link-in-welcome--password-reset-emails.patch396 bytesgrahamc

Comments

grahamC created an issue. See original summary.

grahamc’s picture

grahamc
Location Oxford, UK
commented
StatusFileSize
new 3333943-2.require_login.Cannot-log-in-via-link-in-welcome--password-reset-emails.patch396 bytes

Attaching (trivial) patch.

grahamc’s picture

grahamc
Location Oxford, UK
commented
StatusFileSize
new 3333943-3.require_login.Cannot-log-in-via-link-in-welcome--password-reset-emails.patch420 bytes

Apparently the user.login.form route also needs to be unblocked so it can show the form with login button. Adding revised patch.

seutje’s picture

seutje commented
Status: Active » Needs review

I second this.
We had /user/reset/* in the list of paths (reversing the condition), but after updating from 3.0.2 => 3.0.4, the config was changed and that path was removed somehow, while retaining other paths.
Having this in the list of protected routes would have prevented that altogether.

bobooon’s picture

bobooon commented
Status: Needs review » Reviewed & tested by the community

Makes sense and I agree both routes should be ignored by default.

  • grahamC authored abbcccbe on 3.x 
    Issue #3333943 by grahamC: Cannot log in via link in welcome / password...
bobooon’s picture

bobooon commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.