@SniperSister Is there any security reason that a user who logged in for a password reset can't log out anymore until having done the reset?

@zero-24 Same question to you: Is there any security reason that a user who logged in for a password reset can't log out anymore until having done the reset?

Based on code review, user can logout, just not when using Logout menu item type in com_users. Must have been an oversight when menu item was added. So the fix should be valid.

@davichos Do you want to make a pull request with your change? Or do you prefer someone else to do it?

@zero-24 Same question to you: Is there any security reason that a user who logged in for a password reset can't log out anymore until having done the reset?

I'm not aware of any but that feature was initial developed by Michael and IIRC uses an whitelist of pages that are still allowed. I personally would argue that when you logged in and you are required to reset your PR you should change it than.

I'm with @zero-24 why would you not want to change it.

So is this a won't fix?

Looks more like a bug looking at the provided source line (and fix)
$this->checkUserRequireReset('com_users', 'profile', 'edit', 'com_users/profile.save,com_users/profile.apply,com_users/user.logout');

if I understand it correctly the last entry would mean logout is allowed.

@richard67 i prefer someone else do it

Thank you for raising this issue.

Joomla 3 is now in security only mode with no further bug fixes or new features.

This issue is still relevant for Joomla 4 BUT the fix etc here is not suitable for Joomla 4