Behavior confirmed in version 2.4.0. To reproduce:
Turn on password disabling for all users
Enable override URL
For a non-Clef-enabled WP user, attempt to perform a password reset via the override url
Expected result: successful password reset
Actual result: user receives error: “Password reset is not allowed for this user”
Also confirmed in prior versions (i.e., 2.4.0 did not introduce a bug). If I recall, back when the force Clef and override URL features were added (~ version 1.7), we chose not to allow password resets, even at the override URL, when disable passwords for all users was turned on. The reasoning behind this decision involved reducing the attack vector from malicious password reset requests (i.e., account takeover via email account breach).
There's room to discuss whether it makes sense to add add the ability to perform password resets via the override URL.
User report: https://wordpress.org/support/topic/reset-password-lnot-working-anymore
Behavior confirmed in version 2.4.0. To reproduce:
override url
Also confirmed in prior versions (i.e., 2.4.0 did not introduce a bug). If I recall, back when the force Clef and override URL features were added (~ version 1.7), we chose not to allow password resets, even at the override URL, when disable passwords for all users was turned on. The reasoning behind this decision involved reducing the attack vector from malicious password reset requests (i.e., account takeover via email account breach).
There's room to discuss whether it makes sense to add add the ability to perform password resets via the override URL.