The one-time login link sent out by Drupal when users forget their passwords is of the form
http://example.com/user/reset/UID/TIMESTAMP/HASHEDPASS
which takes the user to a form. Login Destination correctly checks if this form has just been submitted, and if it has, then the redirect is only performed now if variable 'login_destination_immediate_redirect' is TRUE.
But links of the form
http://example.com/user/reset/UID/TIMESTAMP/HASHEDPASS/login
also exist, and are used - for example - by Aegir when it resets the user1 password for a site that it manages and offers a direct link to that site. At the moment, Login Destination is not aware of this possibility, and it always immediately redirects, regardless of whether the option to do so is set. This makes it impossible to reset the user1 password.
Comment | File | Size | Author |
---|---|---|---|
#2 | do_not_immediately-2834091-2.patch | 1.16 KB | martin_q |
Comments
Comment #2
martin_qProposed patch attached.
Comment #3
mglamanThis fixes one time login links. Without the patch even password resets seem busted.
Comment #4
rsvelko CreditAttribution: rsvelko commentedToday, I've committed a fix for #3006755: Redirect for one-time login should happen after setting password (if not configured to happen immediately) and just re-tested specifically the issue you're reporting, all seems fine now bec of the fix in 3006755.
So, @martin_q, @3mglaman,
please re-test and mark as fixed if it's fixed.
I mean test commit e60ea3f i.e. tag: 8.x-1.0-alpha1 i.e. the initial 8.x release.
I tested with /login at the end and w/o it and all works fine now.
Comment #5
Thomas CysTo this date this is still a problem. The proposed patch works.
@rsvelko This issue has nothing to do with #3006755: Redirect for one-time login should happen after setting password (if not configured to happen immediately) since that is for the Drupal 8 version.
Can this be committed since this otherwise breaks the user reset flow when used in conjunction with https://www.drupal.org/project/tfa
Comment #6
rsvelko CreditAttribution: rsvelko commented