[#40757] - Forgot password - No e-mail for user with access to backend?
- Closed
- 12 Jun 2023
- Medium
- Build: 4.3-dev
- # 40757
Steps to reproduce the issue
- Add a registered user to an (extra) usergroup with access rights to the backend.
- Enable login on the frontend.
- Go to the frontend and use the 'forgot password' link to request a password reset.
Expected result
- Receive an email with the reset code / link
Actual result
- No mail has been send.
System information (as much as possible)
Joomla 4.3.2
PHP 8.1.18
Additional comments
The frontend does show a message 'An email has been send...' but no mail is received. When the user is only 'registered' without having access rights to the backend the mail is send / received OK.
I guess this message is always shown to anyone who enters any email address for security reasons so it won't reveal if a user with the entered email exists.
But in this case an email should be send? Or is it not possible to change a password for a user that also has backend access?
Am I correct in assuming there is no 'forgot password' functionality from the backend login page?
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
Not sending an email to superusers seem fine to me, but I believe the mail is also not send send to other users with (limited) backend access. Maybe a user only has right to edit articles in the backend, For this user it is not possible to reset their password from the frontend? And also not from the backend?
We have replaced the link on the backend login on most of our clients sites with an email link to us with the subject 'CMS account password'. This is OK for most of our clients, but on sites with more backend users / usergroups with different access rights we would prefer them being able to reset their passwords themselves.
I can not replicate the reported problem. Are you sure that you dont have a security extension installed that is preventing it. I know that admintools has an option to disable the ability to reset a password in this way.
We do have Admin Tools installed. In the firewall there is an option 'Disable password reset for specific User Groups' but this is set to NO.
But I did a check with the admintools firewall disabled. (rename the plugin file) And after that the email was send OK. So I might need to check some other settings in Admin Tools or contact them to figure this out.
Thanks for this Brian!
So i guess this issue is solved here.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-06-12 13:52:32 |
| Closed_By | ⇒ | zero-24 |
Closing thanks, when you found it please post here too for people finding that issue later.
The Admin Tools developers confirmed this was an issue with their extension. And they able to fix this. I tested it on our site with a development version of Admin Tools and the issue was solved. So this will probably be available in the next Akeeba Backup release.
yes its showing the same message for all and also yes its not sending a mail for people with SU access as they also have access to the database or access to another Super User who could reset the account.
https://docs.joomla.org/How_do_you_recover_or_reset_your_admin_password%3F
There could be an argument made that a message without a PW reset link but with above link should be send, i myself have build such a thing for 3.10 but was overruled to not send the message as mail: #37712 / #30787 by @bembelimen back than.