Password change notification is not sent if the password is resetted

[renchap]

Currently password change notifications (change_password_notify) are not send when the password has been reset by email (reset_password feature).

I see that the feature says "when their password is changed using the change password feature" but I would expect the change password notification to be sent whenever the password is changed.

It looks like change_password is not called from the reset_password feature, so after_change_password is not either. I am not sure what the proper fix would be here but it would be useful to have a hook triggered for any password change.

Any thought?

[jeremyevans]

The current behavior is expected and clearly documented. The idea with emailing on change password is so that the user is notified via email, so someone else with temporary access to the user's account cannot change the password without the user being informed via email. With reset password, the user is already informed via email that someone else requested a password reset. So having a password reset notification email doesn't solve the same security issue.

The security issue a password reset email would solve would be if the attacker has access to a still active password reset request email for the account without the ability to access new emails for the account. That's not a very likely attack scenario.

That being said, I'm not opposed to a reset_password_notify feature, or a modification to the change_password_notify feature that adds the option to notify on password reset but does not make it the default (and doesn't require depending on the reset_password feature). So if you would like this feature, please submit a pull request for it.