At present, if someone requests a password reset and submits one of their alternate e-mail addresses, Drupal tells the user that the account doesn't exist. Yet, if they try to register the account with that same email address, they are denied because the e-mail address is in the system. It would be great if a password reset form could also search among the alternate email addresses for the account and allow for resetting via the alternate e-mail.

There are security implications for this fix, it would be best if it was configurable as to whether or not its in effect.

CommentFileSizeAuthor
#7 multiple_email-play_nice_with_password_reset-2463935-7.patch3.94 KBdeetergp
#4 multiple_email-play_nice_with_password_reset-2463935-4-7.patch3.07 KBdeetergp

Comments

tvn’s picture

tvn commented
Issue tags: +affects drupal.org
tvn’s picture

tvn commented
Issue tags: +drupal.org hitlist
deetergp’s picture

deetergp commented
Assigned: Unassigned » deetergp
deetergp’s picture

deetergp commented
StatusFileSize
new multiple_email-play_nice_with_password_reset-2463935-4-7.patch3.07 KB

I took this ticket on an embarrassingly long time ago; at the Friday sprint at DrupalCon LA. I had to duck out a little early then, but I finally got some time to take a swing at it this past weekend.

The functionality of it works, in theory, at least. I used $conf['mail_system'] = array('default-system' => 'DevelMailLog'); for routing my mail, but it appears to be going to the correct recipient when alternate email addresses get entered. I have also added a yes/no setting for enabling this ability.

deetergp’s picture

deetergp commented
Status: Active » Needs review
drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Needs review » Needs work

The e-mail address %email is registered but has not been confirmed

In this case, let's fall back to the generic error message set by user_pass_validate(). No need to provide extra information about an email's status.

The main password reset does send reset emails to unconfirmed email addresses, let's make that an option, so the yes/no choice becomes:

Accept password reset emails to other email addresses:
o Disable
o Only for confirmed emails
o All email addresses

$language = $GLOBALS['language']; is unused and can be removed.

deetergp’s picture

deetergp commented
StatusFileSize
new multiple_email-play_nice_with_password_reset-2463935-7.patch3.94 KB

Good idea on the three options. Give this one a try.

deetergp’s picture

deetergp commented
Status: Needs work » Needs review
drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Needs review » Fixed

Committed with a bit of code cleanup. Thanks!

  • drumm committed 0bc5ea6 on 7.x-1.x authored by deetergp 
    Issue #2463935 by deetergp: Code style
  • drumm committed d55df64 on 7.x-1.x authored by deetergp
    Issue #2463935 by deetergp: Play nice with Password Resets
drumm’s picture

drumm
he/him
Location NY, US
commented
Issue tags: +needs drupal.org deployment
drumm’s picture

drumm
he/him
Location NY, US
commented
Issue tags: -needs drupal.org deployment

Drupal.org now allows resets for confirmed email addresses.

tvn’s picture

tvn commented

Hooray! Thanks deetergp!

darrellduane’s picture

darrellduane commented

Yes, Hooray, Thanks deetergp & drumm!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.