Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46247] - [5.x] Always allow the captive page and captive.validate task even with PW reset requested

RTC bug PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar zero-24
zero-24
7 Oct 2025

Summary of Changes

Always allow the captive page and captive.validate task even with PW reset requested. I'm not 100% sure whether its a good way to put the code here but on the first look it looks ok and fixes the issue.

Testing Instructions

  • Install 5.4.0rc2
  • create secondary user within the "administrator" group
  • force the user to reset his PW and set an inital PW
  • force the administrator group to setup mfa (Users -> Manage -> Options -> Multi-factor Authentication)
  • login with that secondary user
  • setup mfa
  • try to do the next step

Actual result BEFORE applying this Pull Request

endless loop as joomla wants you to fill the captive page and reset your PW at the same time

Expected result AFTER applying this Pull Request

first joomla will allow you to fill the mfa captcha after that it will force you to reset your PW.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar zero-24 zero-24 - open - 7 Oct 2025
avatar zero-24 zero-24 - change - 7 Oct 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Oct 2025
Category Libraries
avatar zero-24 zero-24 - change - 8 Oct 2025
Labels Added: bug PR-5.4-dev
avatar muhme muhme - test_item - 31 Oct 2025 - Tested successfully
avatar muhme
muhme - comment - 31 Oct 2025

I have tested with 5.4-dev this item ✅ successfully on afec998

* Saw the problem 'The page isn’t redirecting properly'

  • (Restarting the web server or browser was not enough to get rid of the redirect, I solved by using another browser)
  • Applied the PR with Patch Tester, login with password, set-up 2nd factor and reset password is possible now, logout and login again successfully with booth users
  • Created 3rd Administrator user without forces password to be reset -> forced to set-up Multi-Factor, logout, login again with password and passkey, logout and login with passkey and password
  • Created 4th user editor and logged in on frontend
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.
avatar exlemor exlemor - test_item - 31 Oct 2025 - Tested successfully
avatar exlemor
exlemor - comment - 31 Oct 2025

I have tested this item ✅ successfully on afec998

I have successfully tested this! Thanks @zero-24, I would never have found this bug - great job that you did!

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

avatar muhme muhme - change - 31 Oct 2025
Status Pending Ready to Commit
avatar muhme
muhme - comment - 31 Oct 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

avatar joomdonation
joomdonation - comment - 31 Oct 2025

I haven't had a chance to check the details yet, but maybe we should check to see why we could not use existing code to bypass password reset check for these pages?

avatar richard67 richard67 - change - 31 Oct 2025
Status Ready to Commit Pending
avatar richard67
richard67 - comment - 31 Oct 2025

Back to pending. @zero-24 Could you check @joomdonation 's suggestion?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

avatar richard67 richard67 - change - 31 Oct 2025
Labels Added: Updates Requested
avatar zero-24
zero-24 - comment - 31 Oct 2025

I have just tested and implemented the requested changes from @joomdonation Looks like the Backend was not tested when the PR was introduced and by that the task was missing and the view was an invalid view that we dont have within com_users, both fixed now.

avatar richard67
richard67 - comment - 31 Oct 2025

@muhme @exlemor Could you test again with the latest change when you find some time? Thanks in advance.

avatar richard67 richard67 - change - 31 Oct 2025
Labels Removed: Updates Requested
avatar exlemor exlemor - test_item - 31 Oct 2025 - Tested successfully
avatar exlemor
exlemor - comment - 31 Oct 2025

I have tested this item ✅ successfully on 88d9350

I have re-tested this PR successfully. Thanks @zero-24.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

avatar muhme muhme - test_item - 1 Nov 2025 - Tested successfully
avatar muhme
muhme - comment - 1 Nov 2025

I have tested this item ✅ successfully on 88d9350

Retested with JBT and graft PRs full package, used Passkey as second factor, on backend and frontend

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

avatar muhme muhme - change - 1 Nov 2025
Status Pending Ready to Commit
avatar muhme
muhme - comment - 1 Nov 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

avatar zero-24
zero-24 - comment - 1 Nov 2025

Thanks to the testers and @joomdonation for the tip with that array 👍

avatar joomdonation
joomdonation - comment - 1 Nov 2025

Thanks to the testers and @joomdonation for the tip with that array 👍

Thanks for checking the suggestion and fixing the issue in the right way.

avatar richard67 richard67 - change - 1 Nov 2025
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2025-11-01 09:36:56
Closed_By richard67
Labels Added: RTC
avatar richard67 richard67 - close - 1 Nov 2025
avatar richard67 richard67 - merge - 1 Nov 2025
avatar richard67
richard67 - comment - 1 Nov 2025

Thanks @zero-24 for that bug fix, @joomdonation for the suggested changes, and @exlemor and @muhme for testing.

Add a Comment

Login with GitHub to post a comment