[5.2] User: Don't reset newly set requireReset

[Hackwar]

Pull Request for Issue #40480.

Summary of Changes

When an existing user is edited, the password is updated and the require password reset flag is set, the flag is directly unset again. When an admin in the backend for example resets an organisational account and resets the password to something like 123456 and wants the user to reset their password upon next login, this unintentionally clears that flag because the admin has just changed the password.

Testing Instructions

1. Create a new user
2. Edit that new user and change the password AND set the switch to require password reset
3. Click on save

Actual result BEFORE applying this Pull Request

The page reloads, the password is set to the new value and the require reset flag is set to NO.

Expected result AFTER applying this Pull Request

The page reloads, the password is set to the new value and the require reset flag is still set to YES.

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[Attila-SWE]

Since require password reset is something we want the end-user to act upon I suggest removing the code that automatically removes require reset all together. If admin wants to change password and no longer wants user to change at next login then admin manually can deselect the switch for require reset?

[Hackwar]

That code is the code which resets the flag after the user changed their password. Removing that code would mean that a user has to change their password on every page load.

[ghost]

I have tested this item ✅ successfully on dfbac92

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44519.}

[Attila-SWE]

Oh! I thought it was only for backend change. I checked file path now. Then of course it should not be removed. Is there a point in modifying backend functionality?

The way we use it is when users contact us and have issues with resetting/changing their password on their own. Then we change for them and mark as require reset at next login. This could also be the case when user already has require reset marked.

[Hackwar]

Right now it clears that flag when you change the password, so you have to change the password, open the user again and then set the flag and save it again. This PR fixes that.

[Attila-SWE]

I have now manually applied code change and can confirm it works as described in PR.

Would it be possible to change from

if ($this->requireReset) {

to something like

if ($this->requireReset && !BACKENDEDIT) {

Because then when, as admin, editing users in backend the flag would not be reset automatically. This would basically only be relevant when user already has reset required marked and admin changes temporary password again (for example on users request)

[Attila-SWE]

I have tested this item ✅ successfully on dfbac92

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44519.}

[Quy]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44519.}

[pe7er]

Thanks @Hackwar !