hmm drone fails unrealted on an message that the dev dependencies can not be installed because the minimum PHP Version is 5.3.10.. Any idea how to overcome that error? @HLeithner @Hackwar ? https://ci.joomla.org/joomla/joomla-cms/35781/1/2

I have just applied the suggestions thanks @brianteeman

@zero-24 Could you update the branch of this PR to current staging? There was a problem with failing tests in staging when the branch of this PR was created, which meanwhile has been solved. That should make tests for this PR pass again, hopefully.

@zero-24 Could you update the branch of this PR to current staging? There was a problem with failing tests in staging when the branch of this PR was created, which meanwhile has been solved. That should make tests for this PR pass again, hopefully.

Done

@joomla/bug-squad can we have some tests here? I will create a RC tomorrow and I would like to have this merged.

I have tested this item ? unsuccessfully on 01fea2b

These items worked fine, test ok.
"install a site whith this patch applyed
create an non-superuser
try to reset the non-superuser
all should work correctly but with a different message"

These items didn't work for me.
"try to reset the superuser
there is now the same message but in the background a new mail is send to the super user telling him that he cant do what he wanted to do but how to do it.
enable joomla debug mode (and also make sure error reporting is active.
try to reset the super admin again
you now get the old error message but with the docs linked."

I never received an email telling me the steps I need to take to reset the super user pw. I don't think it's an email issue as the non-super user I set up DID send me verification codes via email.

I never received an email telling me the steps I need to take to reset the super user pw. I don't think it's an email issue as the non-super user I set up DID send me verification codes via email.

hmm but you did got the "old" message right?

I never received an email telling me the steps I need to take to reset the super user pw. I don't think it's an email issue as the non-super user I set up DID send me verification codes via email.

hmm but you did got the "old" message right?

With the patch applied, I got the message:

"Notice
Empty message body
If the email address you entered is registered on this site you will shortly receive an email with a link to reset the password for your account."

Never got the email.

Hmm that does not make sense will have to debug that. Just in case it should be send to the mail that is set in the super user that you try to reset.

Can you see any errors in the php error log? Maybe i messed up something here.

Can you see any errors in the php error log? Maybe i messed up something here.

I don't have any idea how to check for errors in the php error log. I know that sucks. I did try and in error_log.txt there was nothing there. Maybe I'd need to talk to Rochen about it?

Ok no Problem, will have to add to debug this to my todo list.

please test again @bayareajenn took longer than expected for sure :D

I have tested this item ✅ successfully on c4a13ef

It's working now. Got the new message with the patch applied:
"Notice

If the email address you entered is registered on this site you will shortly receive an email with a link to reset the password for your account."

Then I received the email stating:
"Hello,

A request has been made to reset your [SITE] account password. But, for security reasons, a Super User can't request a password reminder. Please contact another Super User or use an alternative method as described in the documentation: https://docs.joomla.org/Special:MyLanguage/How_do_you_recover_or_reset_your_admin_password0.000000"

I have tested this item ✅ successfully on c4a13ef

It's working now. Got the new message with the patch applied:
"Notice

If the email address you entered is registered on this site you will shortly receive an email with a link to reset the password for your account."

Then I received the email stating:
"Hello,

A request has been made to reset your [SITE] account password. But, for security reasons, a Super User can't request a password reminder. Please contact another Super User or use an alternative method as described in the documentation: https://docs.joomla.org/Special:MyLanguage/How_do_you_recover_or_reset_your_admin_password0.000000"

Is that the actual text of the email? If so then the link being generated is wrong

Is that the actual text of the email? If so then the link being generated is wrong

Yes, sir. That is the actual text of the email except that I removed the site title from it where it says [SITE].

Then that's a problem as thats not the url in the language string

https://docs.joomla.org/Special:MyLanguage/How_do_you_recover_or_reset_your_admin_password%3F

Shall I change my test result as unsuccessful then?

Ok, so just in case, I re-fetched github and re-applied the patch, and re-tested and the email still says the same as reported above.

hmm just looked into my test mail and I can confirm this behavior but I'm not sure what is happening here.

Maybe @infograf768 can help here to understand what broke JText to not use the URL from the language string? I already had to do this: c4a13ef to get JText to use the full language string for some reason.

It could be the %3f at the end of the url (which is a ? character) or it could be something completely different.

Is there any reason for the url to be in the language string? Maybe you could try using sprintf and seeing if that solves it.

It could be the %3f at the end of the url (which is a ? character) or it could be something completely different.

Ah I haven't noticed that. Yup seems that was the issue as after moving it it works now. Thanks!

Is there any reason for the url to be in the language string? Maybe you could try using sprintf and seeing if that solves it.

Not acutally but we usally have them in the strings but in this case it works the otherway too.

the url on the docs server does have the %3f

the url on the docs server does have the %3f

Yes and it has to as the page without the question mark does not exist: https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password/

But i have not noticed nor thougt that this could be a problem so i assumed something is wrong with JText :D

Yes and it has to as the page without the question mark does not exist
That is what I was trying to say ;)

It's used without problem with JText in Joomla 4 with mod_login in the admin

hmm maybe a combination with /n/n given that it worked partly when i used the $interpretBackSlashes = false switch.

I have the feeling there is not much interest in this pr... I will create the RC today without a fix and tests it will not make it again in to 3,9

This is really an issue because if someone gets your Email, there is plenty of ways to get the password for the Email address, then go and reset the users Joomla password.

For example; https://haveibeenpwned.com/

@CharlieH96 Please test this

This PR doesn't solve this for sites with public registration it's only a small security through obscurity enhancement .

I have tested this item ✅ successfully on 7d28ead

I have tested this item ✅ successfully on 7d28ead

RTC

RTC

Thanks!