It is expected behaviour to make sure that the password is your own password.

Yes you are right, in the function veryfypassword.
@.***

I have print the data:

$data[‘password1’]= for example is test
$user->password= is the encrypted password save on db. That I have put to test.

But the function do not return true so continue without alert.

If before this check I decrypt $user->password and in the function I pass the encrypted password from the db so the function return true and told me that the password is equal. Giving me an alert.

I don’t know why is not working.

Do you think is my problem in my joomla? Strange is the last version.

Da: Christiane Maier-Stadtherr @.>
Inviato: giovedì 3 marzo 2022 13:04
A: joomla/joomla-cms @.>
Cc: robertaonnis @.>; Author @.>
Oggetto: Re: [joomla/joomla-cms] Seams bug on com_user to reset password (Issue #37176)

It is expected behaviour to make sure that the password is your own password.

This comment was created with the J!Tracker Applicationhttps://github.com/joomla/jissues at issues.joomla.org/tracker/joomla-cms/37176https://issues.joomla.org/tracker/joomla-cms/37176.

—
Reply to this email directly, view it on GitHub#37176 (comment), or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARP6TEYNPQU6XSGKHZ6KDMLU6CTC3ANCNFSM5PX3GY3Q.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.@.>>

This is a bug. There is no point in an admin setting a user account to require a password reset if we let them reset to the same password..

sorry I didn't understand what you mean.

I have created a platform. not yet online where users can register freely and request password recovery.

so they can do the reset independently. are you saying this is a bug in com_user?

Da: Brian Teeman @.>
Inviato: giovedì 3 marzo 2022 13:13
A: joomla/joomla-cms @.>
Cc: robertaonnis @.>; Author @.>
Oggetto: Re: [joomla/joomla-cms] Seams bug on com_user to reset password (Issue #37176)

This is a bug. There is no pint in an admin setting a user account to require a password reset if we let them reset to the same password..

—
Reply to this email directly, view it on GitHub#37176 (comment), or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARP6TE7SJVXJGSZDNETMGADU6CUD3ANCNFSM5PX3GY3Q.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.@.>>

Ah I thought you were talking about the option for an admin to require a user to reset their password

Not yet check.

I was talk when user forgot a password and the system send to the user a link to set a new password!

Il giorno 3 mar 2022, alle ore 13:47, Brian Teeman @.***> ha scritto:



Ah I thought you were talking about the option for an admin to require a user to reset their password

[image]https://user-images.githubusercontent.com/1296369/156567576-6ea51588-8602-4f8a-9fbb-bb6d5ade7a59.png

—
Reply to this email directly, view it on GitHub#37176 (comment), or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARP6TEYAH3265KVHQD3C2YDU6CYG3ANCNFSM5PX3GY3Q.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>

Hi Brian I have discover the issue:
// Check if the user is reusing the current password if required to reset their password
if ($user->requireReset == 1 && JUserHelper::verifyPassword($data['password1'], $user->password,$user->id))
{
$this->setError(JText::_('JLIB_USER_ERROR_CANNOT_REUSE_PASSWORD'));

        return false;
    }

In this point to go inside is necessary that $user->requiReset is true.

But this is never true at this point.

If I delete this is seams work. This function is called only in case of reset asked from end user. So not admin. For admin request the function is in the model of profile.php

Da: Roberta Onnis @.>
Inviato: giovedì 3 marzo 2022 13:50
A: joomla/joomla-cms @.>
Cc: joomla/joomla-cms @.>; Author @.>
Oggetto: Re: [joomla/joomla-cms] Seams bug on com_user to reset password (Issue #37176)

Not yet check.

I was talk when user forgot a password and the system send to the user a link to set a new password!

Il giorno 3 mar 2022, alle ore 13:47, Brian Teeman @.@.>> ha scritto:


Ah I thought you were talking about the option for an admin to require a user to reset their password

[image]https://user-images.githubusercontent.com/1296369/156567576-6ea51588-8602-4f8a-9fbb-bb6d5ade7a59.png

—
Reply to this email directly, view it on GitHub#37176 (comment), or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARP6TEYAH3265KVHQD3C2YDU6CYG3ANCNFSM5PX3GY3Q.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.@.>>

@robertaonnis sorry but I do not understand. So I am unsure if this is still an issue for you or if I can close this.

You say that your problem is:
If a user forgot a password, he can activate the link "forgot my password" in the frontend.
He gets an email with a link and a key.
If he follows the link in the email he can enter a new password.

Expected result

During reset password if I use same password the system ignore if passowrd is equal and permit me to continue.

This is normal bevaviour.

So we can close this issue?

In your opinion if the user ask to reset password and inserting the new password the newest is equal to the old is not a bug sure you can close.

In my opinion is a bug.

Thanks for your assistance.

Roberta Onnis

Il giorno 4 mar 2022, alle ore 21:32, Christiane Maier-Stadtherr @.***> ha scritto:



@robertaonnishttps://github.com/robertaonnis sorry but I do not understand. So I am unsure if this is still an issue for you or if I can close this.

You say that your problem is:
If a user forgot a password, he can activate the link "forgot my password" in the frontend.
He gets an email with a link and a key.
If he follows the link in the email he can enter a new password.

Expected result

During reset password if I use same password the system ignore if passowrd is equal and permit me to continue.

This is normal bevaviour.

So we can close this issue?

—
Reply to this email directly, view it on GitHub#37176 (comment), or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARP6TE2KUSY6L4IDYYZH3JTU6JXMTANCNFSM5PX3GY3Q.
Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>

I think this is correct, as the password was secret before and is secret also after the change.

If an administrator gives a password and requires a change, the new password must be different because the administrator knows it.