The one-time login link sent out by Drupal when users forget their passwords is of the form
http://example.com/user/reset/UID/TIMESTAMP/HASHEDPASS
which takes the user to a form. Login Destination correctly checks if this form has just been submitted, and if it has, then the redirect is only performed now if variable 'login_destination_immediate_redirect' is TRUE.

But links of the form
http://example.com/user/reset/UID/TIMESTAMP/HASHEDPASS/login
also exist, and are used - for example - by Aegir when it resets the user1 password for a site that it manages and offers a direct link to that site. At the moment, Login Destination is not aware of this possibility, and it always immediately redirects, regardless of whether the option to do so is set. This makes it impossible to reset the user1 password.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

martin_q created an issue. See original summary.

martin_q’s picture

Proposed patch attached.

mglaman’s picture

Status: Needs review » Reviewed & tested by the community

This fixes one time login links. Without the patch even password resets seem busted.

rsvelko’s picture

Status: Reviewed & tested by the community » Needs review

Today, I've committed a fix for #3006755: Redirect for one-time login should happen after setting password (if not configured to happen immediately) and just re-tested specifically the issue you're reporting, all seems fine now bec of the fix in 3006755.

So, @martin_q, @3mglaman,
please re-test and mark as fixed if it's fixed.

I mean test commit e60ea3f i.e. tag: 8.x-1.0-alpha1 i.e. the initial 8.x release.

I tested with /login at the end and w/o it and all works fine now.

Thomas Cys’s picture

Status: Needs review » Reviewed & tested by the community

To this date this is still a problem. The proposed patch works.
@rsvelko This issue has nothing to do with #3006755: Redirect for one-time login should happen after setting password (if not configured to happen immediately) since that is for the Drupal 8 version.

Can this be committed since this otherwise breaks the user reset flow when used in conjunction with https://www.drupal.org/project/tfa

rsvelko’s picture

Status: Reviewed & tested by the community » Fixed

  • rsvelko committed 7409208 on 7.x-1.x authored by martin_q
    Issue #2834091 by martin_q, mglaman, rsvelko, Thomas Cys: Do not...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.