Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by on Saturday, 19 March 2022 20:17 CDT
The WAF hardening options "Disable creating / editing backend users from the frontend" also blocks sending an email after clicking "forgot your password" for registered users.
I cannot even "activate" a user with this setting on.
Very annoying....
What is going wrong?
Thanks
Didier.
Your issue cannot be reproduced. I tried that on a brand new Joomla 3.10.6 installation with Admin Tools 6.1.5, default configuration plus “Disable creating / editing backend users from the frontend” enabled. I created a new Registered user in the backend and used the password reset in the frontend for that user. I got the email just fine. I went through the password reset just fine. The new password works.
Something in your description does not make sense. This feature only blocks frontend user operations for users who are already assigned or are being assigned in user groups which have the Backend Login permission. The Registered user group does not have that permission by default.
This leaves us with three possible reasons for your issue:
1. It's unrelated to Admin Tools. Have you tried reproducing the issue after disabling the System - Admin Tools plugin? Is it possible that your problem is your site's email configuration?
2. You have added the Backend Login permission to your Registered group. Essentially, you have made every single user on your site a backend user which is a bad idea and a security issue. If that's the case I would say that you have a far more serious problem than not sending password reminder emails!
3. You have a third party plugin which is doing something stupid, somehow adding users to a user group that has the Backend Login permission enabled. In this case you have a security issue being perpetrated by the third party plugin and your issue is once again something far more serious than not sending password reminder emails!
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thank you very much for your quick and clear answer.
Unbelievable, but the group to which almost all registered users belong had access to the backend. So did other random subgroups of registered users.
I am the only one who has access to the backend and registration is not possible, I create the users myself.
This is also a very recent problem, a few weeks ago I had a user set a new password via this system and it still worked then.
I can't believe I granted these rights myself, I am a bit security paranoia, some rights even seem absurd and random to me. And the website and rights have not changed for at least two years, except for updates and adding some users.
I also find it hard to believe that support from an extension supplier, who have already been granted temporary access in the past, would have done this.
Backend access is secured via folder with .htaccess password and the only superuser logs in via 2FA. I am changing the .htaccess access immediately and will continue to look. I have some other problems, including errors when I go to PHP 8.0, so I stay on 7.4 for now.
After changing permissions, password resetting works again as it should.
Thanks again.
Didier.
You're welcome!
I am glad that Admin Tools helped you catch even this kind of unlikely problem :)
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!