Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.2] Fix password reset broken in backend #44723

Open
wants to merge 2 commits into
base: 5.2-dev
Choose a base branch
from
Open

[5.2] Fix password reset broken in backend #44723

wants to merge 2 commits into from

Conversation

joomdonation
Copy link
Contributor

Pull Request for Issue #44715

Summary of Changes

This PR fixes password reset broken as described here #44715. Further more, I improved code of checkUserRequiresReset, hopefully make it easier to understand and maintatin.

Testing Instructions

Actual result BEFORE applying this Pull Request

  • Infinitive redirection when login to backend using an account which has with Require Password Reset set to Yes

Expected result AFTER applying this Pull Request

  • No Infinitive redirection anymore. You can reset password when login using that account when login to administrator area of your site

Link to documentations

Please select:

  • No documentation changes for docs.joomla.org needed
  • No documentation changes for manual.joomla.org needed

@joomdonation joomdonation changed the title Fix password reset broken in backend [5.2] Fix password reset broken in backend Jan 12, 2025
joomdonation
joomdonation commented Jan 12, 2025
View reviewed changes
libraries/src/Application/CMSApplication.php
}
// In the administrator we need a different URL
if (strtolower($name) === 'administrator') {
$user = Factory::getApplication()->getIdentity();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is from existing code. But anyone knows why do we have to use Factory::getApplication()->getIdentity(); instead of $this->getIdentity(); here?

@alikon alikon mentioned this pull request Jan 12, 2025
Closed
@alikon
Copy link
Contributor

alikon commented Jan 12, 2025

I have tested this item ✅ successfully on 6fe7ad0

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44723.

@fgsw
Copy link

fgsw commented Jan 13, 2025

@Eric69-dev Thanks for reporting the bug (#44715). Can you test as the Pull Request need a second successfull test?

@Eric69-dev
Copy link

@Eric69-dev Thanks for reporting the bug (#44715). Can you test as the Pull Request need a second successfull test?

Hi,
I tested the pull request on my local Joomla instance. This fixed the redirection issue and user can connect to the backend but he is not noticed to renew his passord if "Require Password Reset" is set to Yes.

So it's better but not completly solved in my opinion.

@joomdonation
Copy link
Contributor Author

Hi @Eric69-dev

When user login and password reset is required, there is a system message displayed You are required to reset your password before proceeding. See the attached screenshot, so I do not understand what's the difference with the previous behavior, could you please explain more details?

message

@Eric69-dev
Copy link

Hi @Eric69-dev

When user login and password reset is required, there is a system message displayed You are required to reset your password before proceeding. See the attached screenshot, so I do not understand what's the difference with the previous behavior, could you please explain more details?

Hi,
With Joomla 5.2.2, the first login of users with password reset required on the backend is automatically redirected to the user profile (with the system message displayed as you mentioned) and users cannot leave the profile page until they do what is asked of them.

Like this :
image

In my opinion, this behavior was good in terms of security because it forced users to immediately customize their passwords.

With version 5.2.3, this mandatory redirection is no longer active and, despite the system message, users who do not reset their password appear with the mention "Password reset required" in the user manager.

@joomdonation
Copy link
Contributor Author

@Eric69-dev Isn't it works the same with the change implemented in this PR:

  • User is being redirected to the edit account page with the message You are required to reset your password before proceeding ask him to make the change
  • He/She cannot navigate to different page without making change

So unless I misunderstood your message, it is working as expected for me.

@Eric69-dev
Copy link

I re-applied the PR on a fresh install of Joomla 5.2.3 and indeed the expected behavior works correctly.
My previous test instance must be a bit crappy...

Sorry for my mistake and I confirm that the problem is solved.
Thanks Joomla Team!

@alikon
Copy link
Contributor

alikon commented Jan 14, 2025

@Eric69-dev please mark your successfull test at https://issues.joomla.org/tracker/joomla-cms/44723

@Eric69-dev
Copy link

I have tested this item ✅ successfully on 6fe7ad0

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44723.

@alikon
Copy link
Contributor

alikon commented Jan 14, 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44723.

@joomla-cms-bot joomla-cms-bot added RTC This Pull Request is Ready To Commit and removed Release Blocker labels Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
PR-5.2-dev Release Blocker RTC This Pull Request is Ready To Commit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@joomdonation @alikon @fgsw @Eric69-dev @joomla-cms-bot