Require Reset logout

[davichos]

Steps to reproduce the issue

1. Set one user to require/reset in administrator mode
2. Login with the user to reset password
3. Not do nothing, just try logout
4. The user can't logout

Expected result

The user be able to logout

Actual result

The user can´t logout until reset password

System information (as much as possible)

Joomla Version 3.8+
PHP 7.1 +
PHP 7.2 +
PHP 7.3 +
PHP 7.4 +

Additional comments

I solved the problem editing the file libraries/src/Application/SiteApplication.php
change the line 230 in version 3.9.19

$this->checkUserRequireReset('com_users', 'profile', 'edit', 'com_users/profile.save,com_users/profile.apply,com_users/user.logout');

for
$this->checkUserRequireReset('com_users', 'profile', 'edit', 'com_users/profile.save,com_users/profile.apply,com_users/user.logout,com_users/user.menulogout');

[richard67]

@SniperSister Is there any security reason that a user who logged in for a password reset can't log out anymore until having done the reset?

[richard67]

@zero-24 Same question to you: Is there any security reason that a user who logged in for a password reset can't log out anymore until having done the reset?

[SharkyKZ]

Based on code review, user can logout, just not when using Logout menu item type in com_users. Must have been an oversight when menu item was added. So the fix should be valid.

[richard67]

@davichos Do you want to make a pull request with your change? Or do you prefer someone else to do it?

[zero-24]

@zero-24 Same question to you: Is there any security reason that a user who logged in for a password reset can't log out anymore until having done the reset?

I'm not aware of any but that feature was initial developed by Michael and IIRC uses an whitelist of pages that are still allowed. I personally would argue that when you logged in and you are required to reset your PR you should change it than.

[brianteeman]

I'm with @zero-24 why would you not want to change it.

[Quy]

So is this a won't fix?

[HLeithner]

Looks more like a bug looking at the provided source line (and fix)
$this->checkUserRequireReset('com_users', 'profile', 'edit', 'com_users/profile.save,com_users/profile.apply,com_users/user.logout');

if I understand it correctly the last entry would mean logout is allowed.

[davichos]

@richard67 i prefer someone else do it

[brianteeman]

Thank you for raising this issue.

Joomla 3 is now in security only mode with no further bug fixes or new features.

This issue is still relevant for Joomla 4 BUT the fix etc here is not suitable for Joomla 4

[Hackwar]

I created a PR #44520 for this. Please test. Since there is a PR for this problem, I'm closing this one.

[Hackwar]

I closed #44520 in favour of #44521