Disable password reset by email


(Shaun Bogan) #1

Is there a way to disable the password reset by email feature on the login page? I would like to only allow a password reset when an administrator initiates the sending of the email. The ability of a user to change their password when logged in shouldn’t be affected.


(Régis Hanol) #2

That’s not possible. Why do you want to prevent your users from resetting their password when logged out?


(Shaun Bogan) #3

I don’t want password reset links being sent out by email.


(Joshua Rosenfeld) #4

How do you expect your users to reset forgotten passwords without an email?


(Shaun Bogan) #5

As I stated in the initial post:
I would like to only allow a password reset when an administrator initiates the sending of the email.

I just don’t want someone to come to the login page and request the email be sent themselves. I want an admin to do it.


(Joshua Rosenfeld) #6

You could hide the link with some CSS:

form#login-form #forgot-password-link {
    display: none;
}

(Jeff Wong) #7

Still not sure I see the benefit of disallowing a user from doing it. (You’re not OK with a password reset link in email, except when you are?)

When would an admin know that a reset needed to be sent out?


(Mittineague) #8

I can’t speak for others, but if I had forgotten my password or even just wanted to change it because
I felt that changing passwords periodically was a good thing to do, or worse case, the password had become compromised, I would be frustrated if it couldn’t be done.
Maybe not to the point of giving up never to return, I might try to contact the Admin and ask for help, but then again, l just might give up and never return.

I’m assuming the motivation behind wanting to do this is a security concern. IMHO having poor UX is not the way to approach the concern.

That is, if you aware of a potential vector that is what should be addressed.


(Shaun Bogan) #9

When they walk over to my desk and tell me that they are.


(Joshua Rosenfeld) #10

This context is key. Pretty sure all of us here were assuming this was a forum on the internet, not a private forum where everyone has direct access to the Admin. This would have been a good detail to include :smiley:.