chmst
commented
2 years ago confirmed, the user is logged in. The profile with request for changing the password comes with the next click. 3.10 and 4.0 work as expected.
Open morefriendm opened 2 years ago
chmst
commented
2 years ago confirmed, the user is logged in. The profile with request for changing the password comes with the next click. 3.10 and 4.0 work as expected.
alikon
commented
2 years ago confirmed, i would like to ping @nikosdion he can check better than me if we can exclude MFA
nikosdion
commented
2 years ago On it. I think I know where the problem lies.
nikosdion
commented
2 years ago Looking at how the require password reset works I will say that we MUST check for Multi-factor Authentication before allowing the user to change their password.
Joomla does not use the password reset flow for resetting a password in this case, it gives full and unrestricted(!) access to the user profile edit page. This means that anyone who knows the user's old password can log into the site, see the user's personally identifiable information and even disable, change or add Multi-factor Authentication and WebAuthn Passwordless Authentication methods. That is to say, they can do a complete account takeover.
We use the Requires Password Reset feature when we provide a user with a temporary password which is transmitted over insecure transports (e.g. email, phone, ...) or when we suspect the user's password is compromised. If by doing so we also disable the MFA protection of that user's account we are exposing them to danger!
If there is a legitimate use case where the user has forgotten their password, they don't have access to their MFA Method and we need to convey a temporary password over an insecure transport the correct process would be this:
As a result I would close this as Won't Fix because the problem is not with MFA but the way Requires Password Reset is implemented. This feature needs to deny the user access to the site, instead redirecting them to the Forgot Your Password page with a message that they are required to go through the password reset process. For that, I'd recommend opening a different issue.
morefriendm
commented
2 years ago Thanks @nikosdion. We are using the "Require password reset" feature, so that when users first login, they need to setup their password and profile details if needed. At the moment, even if all MFA is disabled, it's not redirecting to the profile edit page.
ahvink
commented
1 year ago What's the status on this at the moment ?
Mika17420
commented
1 year ago Is there a solution to solve this problem punctually?
Mika17420
commented
1 year ago Why this bug is on removed label ? The problem persists
nikosdion
commented
1 year ago @Mika17420 Read my comment from September: https://github.com/joomla/joomla-cms/issues/38788#issuecomment-1253440628
The original poster did open a new issue (https://github.com/joomla/joomla-cms/issues/38806) so someone would fix the way Requires Password Reset works… but it was closed as a duplicate of this issue, even though the body of the issue clearly referenced this issue (therefore my comment).
I would recommend someone opening a ticket with the title "Requires Password Reset does not work with users who have MFA enabled" and the content "The Requires Password Reset feature needs to deny login to the site and ask the user to go through the password reset (instead of trying to redirect them to the password reset page) when MFA is enabled for this user. For the reasoning see https://github.com/joomla/joomla-cms/issues/38788#issuecomment-1253440628".
Then, and only then, someone might actually take the 2 minutes it needs to understand the issue and the 10 minutes it takes to fix it…
coolcat-creations
commented
1 year ago I experienced the same bug in backend. When Password reset is set to yes and the user is using 2FA he is caught in a redirect loop.
nikosdion
commented
1 year ago @joomla/joomla-experience-team-jxt I believe this qualifies as a UX issue. Please see my comment from five months ago — read the last paragraph for the proposed solution.
coolcat-creations
commented
1 year ago I hope I did not misunderstood you, I created the issue like suggested. Thank you
KeesZNL
commented
1 year ago Having just upgraded from 3.10.11 to 4.3.2 I am experiencing the same problem. The user who is required to enter a new password must first click on the welcome page before the form appears where the password can be changed. This issue talks about MFA users. That is not applied in my site. I am new on github referred by NL Joomla Forum. Where is the best place to report this issue? Does anyone know an interim solution, because it is impossible to explain to 60 users that member information is visible before the mandatory changed password has been entered.
sorry for my bad English
petervukovic
commented
11 months ago This bug still exists in 4.4.4 and presents a serious security risk. Is there any news on resolution?
pl71
commented
7 months ago Joomla 5.
Brand new test site with test data on Xampp for Windows.
Created new user with Password Reset Required.
Users can log in without a password reset.
In the backend:
carrieredaniel
commented
2 months ago Joomla 5, freshly installed two weeks ago: When a user is asked to reset it's password the "change password" question is not shown.
Behaviour shown: Password change is enforced when trying to log OUT. Expected behaviour: Password change is required shortly after logging in
Expected result
The user profile page should be loaded to change the user's password
Actual result
Page redirect logged in home page rather than user profile to change the password
System information (as much as possible)
J4.2.2 PHP 8.0.23 Default Joomla template
Additional comments