Simpler Password Reset in Drupal 7 - Revisited and Improved

This is a follow-up to my earlier post in which I described a simple trick changing Drupal's password reset behavior. That trick emails the user a link that logs them directly into the website, instead of the default one-time login page. That one-time login page forces user to click a Log in button before they are able to change their password.

In the thread following that original post, Heine referred me to the Drupal issue in which the one-time login form was created. Now I understand better the reasons behind the one-time login form. To be perfectly frank, the solution from that thread was lazy. It solved the problem, but not elegantly, and Drupal deserves better. The user asked to reset their password so that's the form they should see, as soon as possible without the unnecessary step.

Here's what the user sees first, in core Drupal:

And here's what (I think) they should see:

This post describes how to accomplish this with a custom module. [UPDATE: Save yourself the trouble of writing a custom module by downloading Simple Password Reset module from drupal.org.]

Our strategy is to replace the unwanted behavior, which comes from a menu item defined in user.module. We use hook_menu_alter() to replace that behavior.

<?php function custom_menu_alter(&$items) {   // Drupal's default behavior is to show the user a log-in form, then their user profile.  We change this item to skip the unnecessary step.   $items['user/reset/%/%/%'] = array(     'title' => 'Reset password',     'access callback' => 'custom_pass_reset_access',     'access arguments' => array(2, 3, 4),     'page callback' => 'custom_pass_reset_page',     'page arguments' => array(2, 3, 4),     'type' => MENU_CALLBACK,   ); } ?>

An access callback ensures that only users who received the password reset email can reset their password. The URL parameters have to be just right. This is the same logic used in the core Drupal function that renders the one-time login form.

<?php function custom_pass_reset_access($uid, $timestamp, $hashed_pass) {   if (!drupal_anonymous_user()) {     return FALSE;   }  // Following logic copied from user_pass_reset().   // Time out, in seconds, until login URL expires. Defaults to 24 hours =   // 86400 seconds.   $timeout = variable_get('user_password_reset_timeout', 86400);   $current = REQUEST_TIME;   // Some redundant checks for extra security ?   $users = user_load_multiple(array($uid), array('status' => '1'));   if ($timestamp <= $current && $account = reset($users)) {     // No time out for first time login.     if ($account->login && $current - $timestamp > $timeout) {       drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));       drupal_goto('user/password');     }     elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {       return TRUE;     }   }   return FALSE; } ?>

Now that our access callback ensures only the right users can access our reset page, we can show the profile edit form. Remember, this is where Drupal shows the unwanted one-time login. Instead we let the user make the password change right away.

That seems quite simple, but we're not done. At this point the user would be able to change their password, but then they'd have to log in manually. We want to save them the trouble, and log them in right away. The profile edit form becomes the one-time login form. To do this, we need a hook_form_alter().

<?php function custom_form_user_profile_form_alter(&$form, &$form_state) {   if (arg(0) == 'user' && arg(1) == 'reset' && drupal_anonymous_user()) {     // This is not the normal profile edit form, but actually the password reset form.    // Our submit handler will log the use in after form submit.     $form['#submit'][] = 'custom_pass_reset_submit';    // Require a new password.     $form['account']['pass']['#required'] = TRUE;    if (arg(5) == 'brief') {       // The user is most interested in getting a working password, don't show their picture, timezone, etc.       foreach (element_children($form) as $key) {         if (in_array($form[$key]['#type'], array('hidden', 'actions'))) {           // Do not alter these elements.         }         else {           // Hide other elements.           $form[$key]['#access'] = FALSE;         }       }       // Except don't hide these.       $form['account']['#access'] = TRUE;       $form['actions']['#access'] = TRUE;       $form['actions']['submit']['#value'] = t('Reset password');      // But seriously do hide these.       $form['account']['mail']['#access'] = FALSE;     }   } }function custom_pass_reset_submit($form, &$form_state) {   if (drupal_anonymous_user()) { // Sanity check.     // This logic copied from user_pass_reset().     $account = $form_state['user'];     $GLOBALS['user'] = $form_state['user'];     user_login_finalize();    watchdog('user', 'User %name used one-time login link.', array('%name' => $account->name));     drupal_set_message(t('Your password has been reset.  Welcome back, %name.', array('%name' => format_username($account))));    $form_state['redirect'] = 'user';   } } ?>

Two things to note in the above code. First, we add a submit handler to the profile edit form (but only when used to reset a password). Our submit handler logs the user in so they don't have to do it manually.

Second thing to notice, we honor an optional parameter, "brief", which abbreviates the form. This is because Drupal uses the reset page not just when a password is reset but also when new user accounts are created or email addresses are confirmed. In those cases it may be reasonable to show the entire profile edit form. When just resetting password, it's nice to show them only that portion of the form. To use this feature, under Admin >> Configuration >> People >> Settings >> Password recovery, replace the token [user:one-time-login-url] with this:

[user:one-time-login-url]/brief

This technique allows an administrator to choose between the longer or shorter version of the form fairly easily.

So there you have it! This approach should have none of the drawbacks of my earlier trick, and all the benefits.

Tags:

drupal

Original Article:

Simpler Password Reset in Drupal 7 - Revisited and Improved