I've set up Persistant Login with the default security settings (ie. Prompt for password on user admin pages).

When a user visits their 'edit profile' page, they are prompted for a password as expected. However, they are given the default user/login block, complete with 'Request New Password' link.

Because the user is still logged in to the site, clicking on the 'Request New Password' link results in an 'Access Denied' message.

I'd suggest that PL needs to either:

i) provide their own 'password verification' form,
ii) somehow disable the 'Request New Password' link, or
iii) somehow perform a forced logout on the user if they click the 'Request New Password' link.

Of course ... the more I think about it, the more I start thinking it's actually core's job to hide the 'Request New Password' link if a user is logged in ... but I'll leave this report here to get your thoughts and feedback on it.

Comments

francewhoa’s picture

The following module is able to do that. Maybe some code can be re-use? http://drupal.org/project/noreqnewpass

gapple’s picture

Version: 6.x-1.4 » 6.x-1.x-dev
Category: feature » bug

Core does hide the links if the user is logged in: the access callback is user_is_anonymous. However, Persistent Login forces the user to login again by changing the active user to the anonymous user, and so the user is seen as anonymous until they visit another page and the PL session variable is reset. Therefore, core does not know that the links should not be available in this special case.

D7 allows logged in users to reset their password, so that link won't be an issue, but it may be necessary to remove the 'Create new account' link still.

I've pushed a fix to the 6.x branch to disable access to the register and password pages if the user is being reauthenticated, but I think it would be good to instead backport the password reset form from D7 to D6 so that a logged-in user can still reset their password.
http://drupal.org/commitlog/commit/2226/e4c166c258452f0b8da455dd4041aa3e...

gapple’s picture

I just pushed a commit to remove the 'Create Account' link in 7.x
http://drupal.org/commitlog/commit/2226/f5ce6ee38383b5187d8503ce4661ffaa...

gapple’s picture

Status: Active » Fixed

I've opened #1262920: Allow logged in users to reset password to address enabling the request password form for logged in users.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.