How to prevent one user from being able to change their password? Topic is solved

[sozzled]

Of course, everyone should be able to change their password; that's just a normal precaution that people should take and, if you have registered an account on a J! website, there are facilities that the website owner should provide to allow people to change their password (and/or other account credentials such as email address) irrespective of whether or not we're talking about J! websites.

In fact, if you forget your password in J!—except in the case of administrator accounts—there's a feature in the login module (or menu item) that provides the means for someone to set their password to something else.

In the situation that I'm looking at, I have a website with several user accounts (the usual no-frills "Registered" user ones) but I would like a unique user account that's a little different from the others. In the one specific case, I would like to prevent anyone who uses that account from having any kind of password reset ability. This includes being able to access the Edit Profile menu item as well as using the "Forgot Password" mechanism.

Well, it probably doesn't matter if someone tries the "Forgot Password" feature because they won't get any email giving them instructions on how to change the password.

Is my question clear enough? What advice would people give in this situation, please.

[KevBallard]

Hi Sozzled,

I can think of one thing that should work, but would require a bit of PHP knowledge, and would only block the user in the last stage of the password reset process (entering a new password).

So...

-Create a user group, as a child of Registered, call it something like 'No Password Reset'
-Create a template override of the user screen for the 'complete' layout
-At the top of the override add a bit of code that first gets the user id of the user we are trying to reset the password for, something like this seems to do it

Code: Select all

$app = JFactory::getApplication();
$userId = $app->getUserState('com_users.reset.user');

-Query your the user groups to get the array of groups this user belongs to

Code: Select all

$groups = JAccess::getGroupsByUser($userId);

-If the id of your No Password Reset group is in the array that is returned then display a message informing the user they cannot change their password at this time, else display the normal password confirmation form.

As for preventing them viewing the profile, you might be able to do this by user Joomla's ACL to deny access to the edit part of the user component to the No Password Reset group.

There may be slightly more elegant ways to do this, but It would require a little more thought, and probably a bit more code.

Hope this helps.
Kev

[sozzled]

Thanks a lot for your reply, mate. Writing PHP and/or creating template overrides are not things that faze me too much. However, from what you've written, it appears there's no built-in mechanism to set a user's account to "This account is captive and doesn't allow anyone other than a site administrator to make changes to it."

If the specified account were to be made a child of the Registered group, and if we were to write a system plugin that contained the logic to disable the password-changing things, that might be another way to address this matter. I would have thought that it should be possible to place that account in a usergroup and use ACLs to deny access to certain functionality. I just don't know what "functions" would need to be changed from allowed to denied.

It's not a biggie: I'm just curious as to how to lock-down a user's account in a way that prevents that user making any changes to their account while, at the same time, allowing anyone who uses that account to access those features of a J! website that are enjoyed by "normal" users.

[SharkyKZ]

Do not follow the advice above. It's right in that you need custom code. But you mustn't do this at a presentation level (view or layout) because it can be easily circumvented. This needs to be done earlier.

There is a number of ways of doing this using a plugin, depending on the UX you want to achieve.

• onAfterRoute event can be used to prevent access profile/reset form pages completely.

• onContentPrepareForm event can be used to disable password fields and add validation.

• onUserBeforeSave event can be used to prevent saving the user when new password is set.

[sozzled]

Thanks, mate. Gold star for you. I also don't want to tinker with template overrides for J! 4 at this early stage of the game. We don't know what changes lie ahead for J!'s supported templates and we could be revisiting any template overrides we may write. So, yeah, looks like it's got to be handled with a custom user plugin. Cheers.

[KevBallard]

Agreed, a plugin would be the correct way to go. My approach was just off the cuff thoughts, assuming a basic level of understanding, and limited Joomla development ability.

[sozzled]

No problems, Kev. I've travelled this path before:

• viewtopic.php?t=957520
• viewtopic.php?f=708&t=897259

I have to say, in hindsight, I now regret writing some of the ideas I came up with way back then. Even I suggested using a template override!

Ah well.