Password and confirm password should be mandatory fields while setting up password using one time link following by email

Before adding tags read the issue tag guidelines.

Hi,

I have created patch for this. Please review.

Find attached patch.

Thanks
Sourdrup

Adding patch again. Please review

At a glance, I think #4 failed because it makes the field required in every possible usage of the form. It seems you uploaded an identical patch in #6. You should read the test results to see what happened.

Hi cilefen,

Yes, it is the identical patch and I have already went through the test results and found that there is no test case failure related to my patch. I have just added single line of code which works only in a condition when one time login link is used for setting up the password.
I have also tested the whole process and flow of user registration and it works perfectly fine as expected.

Thanks
Sourdrup

I do not agree. Some failures are related to this change.

I have updated my patch which will help you when user reset password from email link (With URL Token), Its mandatory to provide password and confirm password.

I am working on this issue at DrupalCon Vienna (mentored core sprints) with @sugaroverflow.

Steps to test this issue:
# Created a dev desktop site with appropriate verison: http://drupal-8-5-x-dev.dd:8083/
# Installed Development Environment module to allow me to test emails
# Created new user "jenn-test"
# Reviewed site log report for email sent to "jenn-test"
jenn-test,
A site administrator at Triage has created an account for you. You may now log in by clicking this link or copying and pasting it into your browser:
http://drupal-8-5-x-dev.dd:8083/user/reset/7/1506686934/BT9SI1QRBWWj6Nj8...
This link can only be used once to log in and will lead you to a page where you can set your password.
After setting your password, you will be able to log in at http://drupal-8-5-x-dev.dd:8083/user in the future using:
username: jenn-test
password: Your password
-- Triage team
# Copied and pasted the link to a new incognito window in browser
# Clicked on login link (see screenshot)
# Observed the Password and Confirm Password fields are NOT showing as required, so this test fails.

Bug fix goes to 8.6.x-dev. Also needs tests, including a test-only patch.

Hi, I've added an upgraded patch for 8.6.x-dev.

Instead of always setting the password required, this patch only require it on the reset password form after the one time login.

[Dammit, crosspost. Still posting:]

Here's an updated patch, taking D7 patch #13 into account, with screenshots. Tests still needed.

Before:

After:

With no password being given:

Password correctly given:

Added expected/actual screenshots to IS.

This is NW for tests.

Hi,
I'm using D8.9.3 and the problem is still there...
A new user that registers himself, receiving confirmation email after admin unblocked his account, opening the one-time link in the email, the user can avoid to set the password and go navigating on the site's link. thus not having a password for the future login.
It should be forced to set the password (and the other required fields) before to let him navigate the site.
Are there any updates on that?

thanks

Rerolled patch for 9.1.x

Hi,
thanks @anushrikumari for the very fast reply...the patch for me work well (drupal 8.9.3)!
But my issue is another, and maybe I was not so clear...The problem is that even if the new user do not fill the password field (the now is required with the patch) and do not edit/save the profile, he can starts to navigate the site's links, without having set a password to login again: if he logouts, to login again he will have to do password recovery procedure. I think he should be forced to save the profile (and so create the password), and not to have the possibility to open other links in the site.

Maybe it's not so easy to do...:/

Tested #33 for the below mentioned steps :
Admin sends invite to user by assigning role and notifying user to through an email
User will receive an email on his email address with one time link to log in to the site
User have to click on 'Log in' button on first screen
Now on next screen, user will have 'password' and 'confirm password' fields , but if user clicks 'Save' button without entering 'password' and 'confirm password', drupal allows to save the form as the fields are not mandatory

Works fine for me on 9.1

Applied patch #33 working fine for ref --- sharing screenshot

Step to reproduce ---
--- Install drupal-9.3.x-dev
--- Create a test user
--- generate one time login link
--- See there is option password and confirm password that is not required
--- Now apply the patch rebuild cache and see password and confirm password is mandatory field

Here's a fail test and a mash-up of #33 with the fail test. The interdiff shows the diff between these two patches, which is equivalent to the fix in #33.

The #40 2855328-40.patch file work correctly.
Thanks.

Hello all, I created a simple module Min Password for fixing this issue. You can set up password length by this module, and users can't save zero-length passwords more.

#45 that's great stuff
Verified patch for Drupal 9.5.x dev version
https://www.drupal.org/files/issues/2021-09-30/2855328-40.patch

Testing Steps:
* Install a new Drupal instance
* Installed Development Environment module, which allowed me to test the mail
* Created new user "azikre"
* Reviewed site log report for email sent to "azikre"
* Click on one time login link

Problem:
Password and confirm password fields are not compulsory

Test Result:
Verified that after applying patch both the fields are set as required

Refer SS
Before apply Patch

After apply Patch

Mail Details:
Time: 07/15/2022 - 13:27

Recipient: test@gmail.com

Subject: An administrator created an account for you at test2
Body: zaarti, A site administrator at test2 has created an account for you. You may now log in by clicking this link or copying and pasting it into your browser: http://test2.lndo.site/user/reset/5/1657871870/T5se1wUGmXW-BlXYCHLE_L7Xn... This link can only be used once to log in and will lead you to a page where you can set your password. After setting your password, you will be able to log in at http://test2.lndo.site/user in the future using: username: zaarti password: Your password -- test2 team

Headers:Array

Test Result Pass
Can be move to RTBC

@aarti zikre, thanks for the work on this issue.

A few more things need to be done before this is ready for a committer.

The issue summary is out of date. It is simplest to add the standard template and complete the sections. Also, the latest screenshots should be in the Issue summary for easy review. Adding tag. I've added the template but it still needs an update. This is suitable for a novice, adding tag.

This is testing on 9.3 instead of 9.5.x, changing version.

I don't see any code review. Looking now.

+++ b/core/modules/user/src/AccountForm.php
@@ -152,10 +152,13 @@ public function form(array $form, FormStateInterface $form_state) {
+        // If logged in via a one-time login link, the user may change their
+        // password without giving their current password. However, entering a
+        // new password is required in this case.
+        if ($form_state->get('user_pass_reset')) {
...
+        else {

I think the comment could be a lot simpler and clearer. What about this?

        // If logged in via a one-time login link entering a new password is
        // required and the user does not need to enter their current password.

I am working on this issue.

Made changes as per #40, still needs issue summary update.

IS updated

updated patch with comments

patch comment updated as requested by #49.

Why should the password field be required after using the one-time login link?