Add password resets for non-Clef users via override url when disable passwords for all users = true

Question

Add password resets for non-Clef users via override url when disable passwords for all users = true

Opened this issue 8 years ago · 0 comments

User report: https://wordpress.org/support/topic/reset-password-lnot-working-anymore

Behavior confirmed in version 2.4.0. To reproduce:

Turn on password disabling for all users
Enable override URL
For a non-Clef-enabled WP user, attempt to perform a password reset via the override url
1. Expected result: successful password reset
2. Actual result: user receives error: “Password reset is not allowed for this user”

Also confirmed in prior versions (i.e., 2.4.0 did not introduce a bug). If I recall, back when the force Clef and override URL features were added (~ version 1.7), we chose not to allow password resets, even at the override URL, when disable passwords for all users was turned on. The reasoning behind this decision involved reducing the attack vector from malicious password reset requests (i.e., account takeover via email account breach).

There's room to discuss whether it makes sense to add add the ability to perform password resets via the override URL.