Resolution: No Longer Reproducible
Affects Version/s: 7.0.X, 7.1.X, 7.2.X, Master
Fix Version/s: None
Component/s: Application Security > Login/Sign in Portlet
When the portal is configured to send password reset links instead of passwords insecurely in the email body, the "Password Changed Notification" portlet preference as configured via the portlet instance will never be used. It should be removed from this configuration scope, or maybe just shown as read only.
Steps to reproduce:
- Via "Server Administration" in control panel configure a SMTP email server connection
- Via "Instance Settings" in control panel configure...
- "Allow users to request forgotten passwords?" = true
- "Allow users to request password reset links?" false.
- Place the "Sign in" portlet on a page and click to configure it
- On the "Password Changed Notification" tab add a recognizable string to the email subject or body.
- Log out
- Using the login portlet, click "Forgot Password" and complete the challenges
- Wait for the email to arrive and complete the password reset process to set a new password
Expected result: The email that is received contains the recognizable string
Actual result: The email received is derived from the template configured/defaulted in "Instance Settings" > "Email" instead
Please note that the email template configured in step 4 is used if you reverse the configuration in step 2, so it is not completely redundant.