Hi there - this module is exactly what I want, but there's one issue I've found.
My situation is that I have a bunch of users which I've created manually, using real email addresses and a unique password for each. I'd now like to send emails to these users with the one-time-login link so they can access the site and enter their own password for future use.
So I can send them the link and direct them to the user-edit page - but the problem is that they can't edit their email address or choose a new password without entering their "current" password - which they don't have, and which can't be included as a token in the email.
I've used the http://drupal.org/project/nocurrent_pass module as a workaround, but is there any other way to handle this?
Comment | File | Size | Author |
---|---|---|---|
#14 | user_edit_page_can_t_be-1775458-14.patch | 2.28 KB | joelpittet |
#9 | user_edit_page_can_t_be-1775458-9.patch | 3.1 KB | joelpittet |
#9 | interdiff.txt | 3.79 KB | joelpittet |
#7 | login_one_time-disable_current_pass-1775458-7.patch | 2.67 KB | n_potter |
Comments
Comment #1
mortona2k CreditAttribution: mortona2k commentedI have the same issue. I'd like an option to reset their password so they end up on the same page as the default one time login - on the set password page. I'll probably go with the nocurrent_pass route, but still need to force the login redirect to be the user profile edit page instead of view.
Comment #2
Cayenne CreditAttribution: Cayenne commentedI have addressed this on a few sites by hacking the core to not require the old password. It's very bad to do that, but only takes a few lines in the user module. A little module to do this would be much smarter.
Comment #3
dti21 CreditAttribution: dti21 commentedSame issue here. It would be great if it could ignore the current password restriction just for the one time login link.
Comment #4
ericmulder1980 CreditAttribution: ericmulder1980 commentedI've been looking for a answer to this issue myself and have found some (perhaps) usefull information on https://drupal.org/node/889772.
On comment #38 there is some usefull information about the core user module and how it adds a token to the users $_SESSION after clicking on a password reset link. Perhaps this is something that can be taken into the Login one time module?
Comment #5
ptmkenny CreditAttribution: ptmkenny commented@Cayenne (#2): The No Current Password module disables the D7 core password check in general.
Comment #6
arem4ou CreditAttribution: arem4ou commentedWhen taking them to user/*/edit, it's difficult to ensure the user will choose a new password because all the other fields are visible on the page also. Thus, perpetuating the issue.
It might also be nice to include a "brief" implementation as seen in the simple_pass_reset module for the password recovery flow.
https://drupal.org/project/simple_pass_reset
Further explanation: http://www.dave-cohen.com/node/1000030
Comment #7
n_potter CreditAttribution: n_potter commentedI've created a patch that will add an admin option to ignore the current password field (it's in the user section), only when a new login link is requested and the user is redirected to their user edit form. The patch should be able to be run from the module folder, please give it a try and let me know if it's any good.
Comment #8
mortona2k CreditAttribution: mortona2k commentedI reviewed the code in #7 and applied it. Looks good and works well.
However I'm probably going to stop using this module. I had originally installed it so I can send people one time login links via rules. I don't know why we deviate from the core one time login links instead of just sending those. This could be done in rules with:
echo user_pass_reset_url($user);
Seeing this issue made me realize that the button this module puts on user account pages is HORRIBLE UX. It sends people a link so they can get into their account, but if they want to actually change their password, they have to request another password reset link??
Get this patch in, so this module can actually have some utility.
Comment #9
joelpittetCoding standards clean-up. I think this is RTBC but need someone else to verify.
Comment #10
joelpittetComment #11
johnpicozziI reviewed and applied the code in #7 and all looks good and works for me.
Comment #12
joelpittet@johnpicozzi RTBC even?
Comment #13
joelpittetDang since the latest changes, this now needs a reroll.
Comment #14
joelpittetOk Re-rolled. (Nice 3way auto merge on rebase!)
Comment #16
Maedi CreditAttribution: Maedi commentedCommitted to dev. Please test :)
Comment #17
joelpittetThank you @Maedi