no ‘required password reset’

Need help with the Administration of your Joomla! 4.x site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10
Post Reply
Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Mon Dec 12, 2011 5:55 pm

no ‘required password reset’

Post by Thomsterdam » Mon Jan 08, 2024 2:29 pm

This is about adding a new user to the site by the Super User.
Joomla is sending my new user his/her login details, when I add a new user to the website. In the User Settings I put the field ‘Require Password Reset’ to YES.
I expect the user to be confronted with the obligatory password reset, but... the user is able to log in with the password I have sent, and is not asked to reset the password.

Am I missing something?

FYI: Joomla 4.3.3. website, converted from Joomla 3
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

User avatar
AMurray
Joomla! Exemplar
Joomla! Exemplar
Posts: 9842
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: no ‘required password reset’

Post by AMurray » Mon Jan 08, 2024 9:51 pm

First update to the latest Joomla 4 - 4.4.1 then see if you have the same issue. You're using a version that's 18 months out of date. (4.3.3 was released July 2023).

Joomla Update should show you the latest version (4.4.1), and for the migration 3.10.to 4 should have shown you 4.4.1, not 4.3.3

If you need to update to 4.4.1 via the Upload and Update method, you can find the packages here:
https://downloads.joomla.org/cms/joomla4

As far as I know, Joomla never sends the actual password to the user. Normally you would use the password reset function (link located under the log-in form).

This seems to explain/discuss the issue: https://github.com/joomla/joomla-cms/issues/38788 - check and see if the solutions explained help in your case. But....it sounds like a solution has not yet been implemented. Maybe someone else can confirm this, I'm just going from this Github discussion but it is talking about Joomla 4.2.2, not 4.3.3.

The Github post concludes that a contributing factor to this bug would seem to be when MFA is enabled, the "force password reset" doesn't work and the proposed solution is, where MFA is enabled, that Joomla should simply redirect to the Change Password page, where you have to fill in your email, so that it sends you the reset password link.
Regards - A Murray
General Support Moderator

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17501
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: no ‘required password reset’

Post by toivo » Mon Jan 08, 2024 10:18 pm

The issue is still there in Joomla 4.4.1 and 5.0.1. A quick test shows that it does not seem to have anything to do with MFA. I will submit a new bug report and tag the RC versions.
Toivo Talikka, Global Moderator

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17501
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: no ‘required password reset’

Post by toivo » Wed Jan 10, 2024 9:27 pm

The new bug report was shot down in flames because of the existence of the previous one. No bumping, like here in the forum.

After the user has logged in, nothing happens until the user tries to access a page that requires Registered access or above. Only then the user sees the system information message "You are required to reset your password before proceeding" together with the Profile page, where it is possible to change the password.

In the past the request to reset the password used to come up immediately after a successful login. However, the fix seems to have become more complicated because of MFA. Still, it would be good to restore the old behaviour at least where MFA is not involved.
Toivo Talikka, Global Moderator

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Mon Dec 12, 2011 5:55 pm

Re: no ‘required password reset’

Post by Thomsterdam » Wed Jan 10, 2024 11:01 pm

Thank you very much for looking into it, Toivo. When I'm back in the office next week I'll test this and adjust the 'welcome' email accordingly. I often use this feature, as I, as a Super User, often add new users with certain access levels to the site and give them a temporary password.

I am surprised that this bug doesn't have a higher priority, as it has been a core feature of Joomla for as long as I can remember. Introducing MFA should not break a great feature that works well.

Could you give me a URL for the reported bug? Then I should be able to follow the developments there.

Thanx again,


Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 17501
Joined: Thu Feb 15, 2007 5:48 am
Location: Sydney, Australia

Re: no ‘required password reset’

Post by toivo » Wed Jan 10, 2024 11:06 pm

Cheers. As pointed out by @AMurray, the original bug report is from Joomla 4.2.2 in October, 2022: 4.2.2 User Require Password reset doesn't work #38788
Toivo Talikka, Global Moderator

linets
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Jun 08, 2021 9:06 am

Re: no ‘required password reset’

Post by linets » Mon Apr 22, 2024 2:57 pm

Rather than having to add a "me too" reply to forum posts for this problem or the issues list on Github, is there a way Joomla users can indicate they're also experiencing a reported issue to help the community prioritise fixes?

Apologies if this is explained somewhere, but I don't know how to find out if issues are being addressed. For example, https://github.com/joomla/joomla-cms/issues/38788 was opened in September 2022 and it's unclear if it's being looked at.


Post Reply

Return to “Administration Joomla! 4.x”