Stripped query strings in new account "set password" links AND Disallowed password reset

aamplugin / advanced-access-manager

WordPress Advanced Access Manager Plugin

Other

30 stars 14 forks source link

Stripped query strings in new account "set password" links AND Disallowed password reset #372

Closed altered-slate closed 3 months ago

altered-slate commented 3 months ago

ISSUE

Up to version 6.9.27, when a new user registered on our site, they would receive an email containing a link to set a new password. The link would have a query string appended to the end of it, allowing the user to directly set their password, similar to the following:

href=https://mywebsite.com/account/lost-password/?action=newaccount&key=cHVQ8xNpDKD0tUTGxWLt&login=myusername

After updating to 6.9.28, these links within the new account email no longer have a query string appended to the end:

href=https://mywebsite.com/account/lost-password/

Following this URL of course does nothing but load the standard lost password form, where the user can request an email with a link to reset their password and would be back to square one.

HOWEVER, trying to fill in the lost password form and request a new password reset email results in an error message "Password reset is not allowed for this user".

STEPS TAKEN TO VERIFY / RESOLVE ISSUE

disabled all plugins except Woocommerce, WP Mail SMTP, and Advanced Access Manager (necessary for testing)
switched to default Storefront theme
uninstalled Advanced Access Manager
reinstalled Advanced Access Manager 6.9.27
- RESULT: "set password" links in new account emails have expected query strings and lost password form works as expected
- updated Advanced Access Manager to 6.9.28
- RESULT: same as initial issue description: no query strings in "set password" links of new account emails, can't request password reset manually.

altered-slate commented 3 months ago

UPDATE

After reviewing the 6.9.28 changelog, and noticing the item:

Added: New "User Governance" feature

and subsequently reviewing the description of the User Governance feature in AAM settings:

Manager how other users and unauthenticated visitors can see and manage registered users on the site.

this feature sounded like the most relevant change related to the issue initially reported.

Disabling the User Governance feature allowed new account emails to have proper query strings appended to the end of "set password" links, and users could once again request password reset via the lost password form successfully while AAM 6.9.28 active, consistent with all working features up to 6.9.27.

An additional minor note, "Manager" in the quoted text of the User Governance feature appears to be a typo.

aamplugin commented 3 months ago

@altered-slate thank you for the information. We've already identified the root cause and will fix it in the upcoming AAM release.

irmmr commented 3 months ago

[mt:no en]

I had the same error, By disabling user-governance, the problem is solved.

aam > settings > ConfigPress
core.service.user-governance.enabled = false

Also, the wp_is_password_reset_allowed_for_user function is used to check for the possibility of changing the password when the password is forgotten, and the allow_password_reset filter is completely destroyed with the changes applied using aam plugin.

// https://developer.wordpress.org/reference/functions/current_user_can/
current_user_can('aam_change_password', !!$user->ID!!)

// https://developer.wordpress.org/reference/classes/WP_User/has_cap/
$user->has_cap('aam_change_password')

When users are not actually logged in ...

$user->ID === get_current_user_id()