Thanks @Bakual for the feedback! Changes added in the new commit!

Thanks.
I think you may want to have a check as well where the actual reset is performed. You're doing the checks currently only for showing the views. But someone could easily fake the form and send the request anyway. If you really want to prevent users from resetting their passwords, you need to prevent the execution of the code in the controller.

@Bakual I look into that!

@Bakual I added the check for both links in the controller. Hopefully it's the right way of implementing. I also udated the test instructions.

@RickR2H Looks fine, except that you forgot the default values for allowReset :)

@Bakual Done ;D

Works for me!

@test Works fine for me!

Thanks for coding and testing. --> RTC

I strongly disagree with forbidding people to change their password. This is a security implication. I can understand why you would want to forbid users not to change their username. But stopping them from changing passwords is a horrific idea and even by giving site owners this option we are implicitly endorsing it. I am strongly against us merging this PR.

@wilsonge I fully agree with you! For a normal users who register on a site it's a vital functionality to change there password. The reason I wanted to implement this feature is due to the fact I've encountered multiple websites which uses one password and username for multiple users which I always strongly discourage by the way . As this happened 3 times to me now I thought is was time to implement this kind of feature. The last time for example, the company had multiple divisions with every division having the own specials needs for the intranet website. So if you work on that division, you log in to the intranet site with the global division username and password only seeing the content and functionality for that particular division. To use this kind of functionality it is wise to switch the username and password reset off.

This PR doesn't forbid users to change their passwords. It stops them from using Joomla core to do it.
Guess that those that use different authentication provide means for users to change their password.
Never heard about GMAIL or FACEBOOK stopping you from changing passwords because you configured Joomla site to disallow it.
Assume the Joomla account to be under control of software other than Joomla core.

@sovainfo I never looked at it that way but you are right.

To forbid changes of user data of specific users via Joomla core a custom (really small) system/user plugin (onUserBeforeSave) is the better way I think.
And links can be hidden by CSS or overrides.

Would consider that bad UX, even when done only for specific users. Consider it bad design to let the user do things and then tell them it is not allowed. Same applies to hiding using CSS. You shouldn't hide options, you should remove them. Make them unavailable to use, not only make them invisible.

Just to put things into perspective. It's an option that is switched off by default and it is there to help users in particular situations, as with a lot of settings in Joomla...

I don't see the need for this option. Having the actual links work isn't that much of a problem, regular users are not going to type in the URL in their browser if you don't show them. If you really want to forbid it, this can be done via a plugin.

@RickR2H I am going to close this PR for the following reasons, first of all you agree this only happens on very rare occasions. Second it is not checked with other authentication mechanisms and finally, the same can be achieved via a plugin so there is an alternative available.

Thank you for your work on this PR and others for giving their feedback.

@roland-d No problem! I get your point!