Closed michaelryanmcneill closed 6 years ago
I like the idea of showing the correct change password URL.
Going further, are they able to set a local password? If so, can they use that local password for non-Shibboleth authentication (e.g. REST API)? Should we prevent/block that for Shibboleth users?
This is a great point @jrchamp. I'm not 100% sure but I will definitely do some testing to determine if that is the case. If you have some free time to do a PR on this, that'd be awesome too.
As pointed out by @earnjam, if a user ends up on
wp-login.php
they'll still be able to reset their local password, even if Shibboleth is the only auth method allowed. Instead, we should hook into thelostpassword_url
filter: https://codex.wordpress.org/Plugin_API/Filter_Reference/lostpassword_url to change the URL to what the user provides, or we should hide the option entirely if a user hasn't provided a lost password URL.