If a user does not enter in a current password on the user edit/password reset screen, they get two versions of the user edit form, one stacked on top of the other. Each form has a different set of errors: "Your current password is missing or incorrect; it's required to change the Password." and " Your password has expired. You must change your password to proceed on the site.".

This makes it impossible for users stuck in this state to reset their password until they reset the form (which they very may well not realize they need to do.) If they then hit the bottom most submit button, they will continue to loop through password rest prompts See attached screenshots for what these duplicate forms look like.

To reproduce, edit an existing test user account with "Force password change on next login" checked. When logging in as that test user, do not put in a current password, only fill in new password fields. Submit the form. This produces the double form effect. To reproduce the loop, hit the bottom most submit button after correcting the top form fields.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ccasals created an issue. See original summary.

AohRveTPV’s picture

I believe the cause of this is #2372935: Multiple forms when resetting password in admin theme. See comments #7 and #8 for some explanation of the problem. If you're using the Administration Menu module, you need to add js/admin_menu/cache/* to Extra Allowed Paths in the Password Policy configuration. If you're not using Administration Menu, there are probably some other paths you need to add to Extra Allowed Paths.

You can probably look at the requests in your browser's developer tools to see which paths are being redirected.

AohRveTPV’s picture

Status: Active » Closed (works as designed)

Please re-open if the issue isn't as I suggest in #2.