Open
Description
User report: https://wordpress.org/support/topic/reset-password-lnot-working-anymore
Behavior confirmed in version 2.4.0. To reproduce:
- Turn on password disabling for all users
- Enable override URL
- For a non-Clef-enabled WP user, attempt to perform a password reset via the
override url- Expected result: successful password reset
- Actual result: user receives error: “Password reset is not allowed for this user”
Also confirmed in prior versions (i.e., 2.4.0 did not introduce a bug). If I recall, back when the force Clef and override URL features were added (~ version 1.7), we chose not to allow password resets, even at the override URL, when disable passwords for all users was turned on. The reasoning behind this decision involved reducing the attack vector from malicious password reset requests (i.e., account takeover via email account breach).
There's room to discuss whether it makes sense to add add the ability to perform password resets via the override URL.