We have moved to GitHub Issues
Created by Nigel Morris 10 May 2017, 16:29:20 Updated by Shannon Deminick 24 May 2017, 06:11:54
Subtask of: U4-9609
Your report will have a greater chance of being addressed if you can give us clear steps to reproduce the issue, please answer the following questions in as much detail as possible: What did you do?
Update from 7.5.13 to 7.6.0 Password no longer accepted Requested new password
Email received but the link does not reset password
What did you expect to happen? Go to a reset password page
What actually happened? Returns to the login page
I imagine the password is not accepted if the current password is less than 10 characters as the minRequiredPasswordLength is now 10 (although this should only be enforced on new and updating passwords) Also the field umbracoUser > userNoConsole is set to True after requesting the password so emails not longer work for that user. Will test again but assume its related to "enablePasswordRetrieval" in the web.config
UmbracoMembershipProvider > enablePasswordRetrieval="false" minRequiredPasswordLength="8" useLegacyEncoding="true" & UsersMembershipProvider > enablePasswordRetrieval="false" minRequiredPasswordLength="8" useLegacyEncoding="true"
Seems to work fine here, see screenshot.
I think it is just that you were already locked out when you requested a password reset. Unfortunately we don't unlock when a password reset is requested as this would defeat the purpose of locking someone out:
However, I'm pretty sure it would be okay to unlock the account ones the account owner clicks the link and actually provides an updated password.
Hi @sebastiaan and @Nigel.Morris,
some thoughts from my side...
if an user is already locked out and requests a "reset password"-mail the mail should be sent to the user regardless of his locked-out-status. If the user is an honest user and can access the emailaddress of the specificied user it should be possible to click on the link and resets his password (no matter if he is locked in or locked out).
Once he has specified his new password his account should be unlocked at that moment (and not when sending the forgotten password mail).
The risk of unlocking an account when resetting his password at this moment is minimal in my opinion because the user has to be able to access the emailaddress of the user and if that's possible than the lockout-treshold isn't the biggest problem he has.
This is then also a way to unlock your account :)
Yup, makes sense, thanks for the feedback!
confirmed, all working :)
Backwards Compatible: True
Affected versions: 7.6.0, 7.6.1
Due in version: 7.6.2