Password reset email link redirecting to login again


#1

The password reset email is sent, the problem is the link in the email redirects back to the login page. We do have the modified Guest User plug-in that blocks access to everything until logged in. Not sure if this is causing the issue as it seemed to work a few months ago. What should I check? Emailed links look like the following:

https://[domaininfo]/omeka/users/activate/u/8fcbe2a9baff5b3d107d7a87ff632d1e24bc4246


#2

Can someone explain to me how the link in the password reset email works? Maybe I can then troubleshoot this myself better.


#3

It’s certainly possible that it’s related to a plugin… basically the reset code gets stored in the database associated with the user that made the request, and the link goes to a page that looks up the code and presents the change password form.

There’s basically an exception list of pages you’re allowed to go to when you’re not logged in for the Omeka admin: the login page itself, the activate page you’re having problems with, and the forgot-password form to send the activate email.

It’s odd if it’s just activate that’s not available out of those, if that’s the case. If you’re already logged in you’ll be redirected away from those login-related pages, but that doesn’t sound like what’s happening since you said the redirect is going to the login page.


#4

So this is logging in to reset the password for Guest Users. I should have said that upfront. You’ll note that if you go to our login page - https://maoistlegacy.de/db/users/login - you actually can’t access anything without first logging in. So all users are required to create a guest user account before they can see contents. I had to modify the Guest User plug-in to force that. I’m guessing based on what you wrote above that this is precisely the issue… I’m hoping there’s a way around that, i.e., to allow the exception be the change password form? How would I do that?


#5

What does the modification you made look like? Presumably if the login page itself is working there’s an exception for that already, so it may just be a case of needing to add the “activate” page to a set of exceptions that’s already there in your code.


#6

Hi John - it’s very simple code with the access control list; I didn’t make an exception for the login page. I just check the user and prevent site access until they’re logged in. There’s an earlier thread where you can see the code. Maybe that’s the issue - I’d have to change this line, I guess:

 if (!$user && !$allowAccess){
            $this->_getRedirect()->gotoUrl(WEB_ROOT .'/users/login');
        }

If that’s even possible.


#7

The three if statements directly above that are exceptions for the login page, the guest user register page, and the forgot-password request page, respectively.


#8

Ah yeah, right. … So why wouldn’t it be working?


#9

You’ve allowed access to the reset request form, you just haven’t allowed access to the “users/activate” action that the reset link goes to.


#10

Thanks, that was easy enough and I can’t believe I overlooked it… just added the following line.

  	if ($requestParams['controller'] == 'users' && $requestParams['action'] == 'activate') {
            $allowAccess = true;
        }