Support

This is extremely unlikely based on the fact that we have this option enabled on our own sites and we see an average of 30 successful password resets every week. If your suspicion was correct, our clients would not have been able to reset their passwords.

I believe it's a configuration issue on your site. But before I tell you what to do, let me explain how this feature works, and you will see why I came to this otherwise random–sounding conclusion.

The “Disable creating / editing users from the frontend” is a feature controlled by two options.

The “Disable creating / editing users from the frontend” option is the main on/off switch. When it's set to No, this feature is disabled. When it's set to Yes, it's enabled.

Enabled to do what, though? That's where the “Disable creating / editing users in these groups from the frontend” option comes into play. One way to use it is to explicitly specify which user groups it will apply to; this is something you have to manually. The default is to leave it empty. When it's empty, Admin Tools will block editing or creating a user if any of the user groups it belongs to has backend access (the “Administrator Login” core.login.admin privilege is allowed), or Super User access (the “Super User” (core.admin) privilege is allowed).

Normally, regular users belong to the Registered user groups which does not have any of these privileges; they are set to Inherited. The parent of the Registered user group is the Public group which is NOT the same as Guest. The Public pseudo-group is the “root” of the user groups “tree”. Its privileges MUST be set to Inherited (which cause an implicit, therefore overridable, deny).

I believe that you either have users who belong in one or more user groups erroneously given the Administrator Login or Super User privilege, or you accidentally set one or both of these privileges to Allowed in the Public group, thereby having that allowed privilege inherited all the way up the user groups tree.

Finally, as to why this feature is triggered when you do a password reset, you need to understand how this works in Joomla. When you ask for a password reset, Joomla loads your user record, and saves into it an activation key and a flag to indicate it's a password reset. Saving the user account triggers the onUserBeforeSave event which is handled by Admin Tools in the course of implementing this feature. So, if the user you are trying to reset is in a group caught by this feature, the password reset will be blocked.

That said, you are wrong about the Forgot Your Username feature. This is not blocked. As you can see in \Joomla\Component\Users\Site\Model\RemindModel::processRemindRequest() this Joomla feature NOT save the user record, therefore does not trigger this Admin Tools feature. It just sends an email. I think that part of your report is you misremembering what you were doing.

I am wondering how accurate your original ticket was.

Here's what I have done before replying to you (bear with me, it's important).

Test A. “Disable creating / editing users from the frontend” -> Yes,  “Disable creating / editing users in these groups from the frontend” -> Super Users (only!).

• Forgot Your Username: Works for user in the Registered group.
• Forgot Your Username: Works for user in the Super User group.
• Forgot Your Password: Works for user in the Registered group.
• Forgot Your Password: Blocked for user in the Super User group.

Test B. “Disable creating / editing users from the frontend” -> Yes,  “Disable creating / editing users in these groups from the frontend” -> Empty.

• Forgot Your Username: Works for user in the Registered group.
• Forgot Your Username: Works for user in the Super User group.
• Forgot Your Password: Works for user in the Registered group.
• Forgot Your Password: Blocked for user in the Super User group.

Test C. “Disable creating / editing users from the frontend” -> No.

• Forgot Your Username: Works for user in the Registered group.
• Forgot Your Username: Works for user in the Super User group.
• Forgot Your Password: Works for user in the Registered group.
• Forgot Your Password: Works for user in the Super User group.

Note that tests B and C are very similar to the standard tests we do on Admin Tools anyway. I did Test A because you explicitly described setting the feature for Super Users only.

This is why I have said that what you described about Forgot Your Password –beyond the fact that we do not observe it on our own site– cannot be reproduced.

Moreover, we can see that as expected the  “Disable creating / editing users from the frontend” option has no effect on Forgot Your Username.

However, you said that neither Forgot Your Password nor Forgot Your Username works for Registered users on your site. Since the latter is not affected by Admin Tools, if you are absolutely sure that it does happen then yes, maybe a third party extension is involved.

That said, I don't think that this was ever an issue. I think the Forgot Your Username was something you misremembered, therefore I am willing to throw it away. If I throw it away, then the issue you described regarding Forgot Your Password is plausible. Beyond what I told you, the only other way to reproduce it is if the “Disable creating / editing users in these groups from the frontend” option accidentally includes more user groups than just Super Users. Why don't you try removing all groups from it and see if the problem persists? If removing all groups fixes your problem, the root cause was that you had made a wrong selection by accident; it happens to all of us, nothing to be ashamed of.

If it does not fix your problem, then I would indeed start wondering if it's a third party extension causing it, or maybe if Joomla did not update the software properly. I would try to install Admin Tools twice in a row, without uninstalling it before or in between, to see if that fixes the problem. If it doesn't, well, I'd start looking into third party software and quadruple check permissions and user to user group assignments, because something's not right.