Password Reset Page

What status does a user account have to be in for the Password Reset Page to function? I noticed that when I set a user account Under Construction the reset email wasn't being sent but if the account is Live then it works fine. This is a bit odd since we have a password attempt limit set so that a users account becomes 'locked' if multiple failed logon attempts are detected. So this is where the Password Reset Page would come in handy but it won't work for users who have already hit that limit. Is this correct? Is there a way around this?

I've thought about using Trigger for a workaround as a interim solution, for example: if a User account is set to Under Construction by a System Administrator (Root user would be included as part of this group I assume?) then set it to Up For Review, so the reset page would function.

Is there a neater way to do this if it is the only option? I can already see a conflict occurring if an actual System Administrator wanted to manually place a user account Under Construction as the Trigger would then fire. Perhaps there could be an option to set a user account to Up For Review once the attempt limit is reach - this could become an option in the System Configuration screen for a global setting and perhaps also as an option on the User Group Preferences Screen to allow for finer control.

Also on the Reset Bodycopy I couldn't find a keyword to print out the global password rules - does this keyword exist or should I put in a feature request? Having them display as a list would be useful.

So you want to lock user accounts after X failed logins, but then unlock them with a trigger as soon as this happens? Could you not just disable the lockout in system config? -It sounds like that is ultimately what you want to do.

An asset has to be Live before it can be placed Up for Review, so I think your trigger would have to make it Live first anyway.

Yea I know it sounds a little weird what I'm after but due to organisation policies we need to have that lock after the failed attempts. Kind of why I was hoping the lock could be modified to set an account to Up For Review instead of just Under Construction. If we disabled the lock in the sys config I can't see another way to change a status of an account.

Agree on the status flow with Triggers.

The idea behind this is to allow users to reset their passwords without having to contact the system administrators which would reduce workload and increase the turnaround time for a user to be able to get back into the system.

Maybe - just so your accounts aren't being made Live as soon as they go Under Construction, you could use a trigger to email the user once their account is locked. Inside this email, you could include a special link to their account that, when clicked, fires a trigger to make the account live, and then redirects them to a password reset page.

To achieve this, you could include a link to their user account with a unique query string. You could generate a unique code (using %globals_random_x_X% - with some replaces thrown in for good measure), then make the trigger set this code in a hidden meta field for the user. Include the same code in the link emailed out to the user. If the codes match when the user clicks the link, fire the next trigger to make their account live. - Just an idea.

This way, only the person receiving the email can actually make the account live again.

EDIT: This won't work though, doh! The public user won't have access to the Under Construction asset. But, you could use a middle-man asset, like a comment asset built by the first trigger that stores the data needed for everything to work, and then the link to this publicly accessible asset could be sent to the user and self-destruct once accessed.

Wow that is actually a really good and neat solution. I think I might give this a try thanks!

It's a little complicated, but if you can get it to work it will hopefully save dev time in the future. Good luck mate