Disable password recovery for a specific user role

  • Resolved charliefishtank

    (@charliefishtank)


    1 week ago

    Users with a role of Subscriber on our site should not be able to reset their password in the frontend Recover Password Form.

    I have added code suggested elsewhere to prevent password resets for those with the Subscriber user role shown below, but the email is still sending. So I am wondering if there are different hooks I can use with this plugin to prevent the email from sending and returning an error to explain Subscribers can’t reset their password.

    add_filter('allow_password_reset', function ($allow, $ID) {

    if ((! $allow) || is_wp_error($allow)) {

    // Rejected by a previous filter

    return $allow;

    }

    // Read the user's roles

    $user_data = get_userdata($ID);

    // subscriber users may not reset passwords

    if (in_array('subscriber', (array) $user_data->roles)) {

    return false;

    }

    return true;

    }, 10, 2);

    The email that is sent returns a link that correctly doesn’t have a valid key, meaning the password recovery won’t work but the link is structured like this: https://example.test/password-recovery/?key%5Berrors%5D%5Bno_password_reset%5D%5B0%5D=Password reset is not allowed for this user&&&login=charliedek.

    Any suggestions are appreciated!

Viewing 1 replies (of 1 total)
  • Plugin Support alexandrubodea

    (@alexandrubodea)

    Hi @charliefishtank,

    You can disable the email that we send using the following code:

    add_filter( 'wppb_recover_password_message_content_sent_to_user1', 'wppbc_change_recover_password_email_content', 20, 4 );
    function wppbc_change_recover_password_email_content( $recovery_email_message, $requested_user_id, $requested_user_login, $requested_user_email ){

        if( is_email( $requested_user_login ) )
            $user = get_user_by( 'email', $requested_user_login );
        else 
            $user = get_user_by( 'login', $requested_user_login );

        if ( in_array('subscriber', (array) $user->roles) )
            return '';
        
        return $recovery_email_message;
    }

    add_filter( 'wppb_recover_password_message_title_sent_to_user1', 'wppbc_change_recover_password_email_title', 20, 2 );
    function wppbc_change_recover_password_email_title( $recovery_email_message_title, $requested_user_login ){

        if( is_email( $requested_user_login ) )
            $user = get_user_by( 'email', $requested_user_login );
        else 
            $user = get_user_by( 'login', $requested_user_login );

        if ( in_array('subscriber', (array) $user->roles) )
            return '';
        
        return $recovery_email_message_title;
    }

    As for the success message we have the following hook that can be used, but unfortunately, you will need to create that necessary custom code yourself (we don’t have one available). Keep in mind that is not really possible to fail the action, you can just change the message (or choose not to send it).

    $success = apply_filters( 'wppb_recover_password_sent_message1', $success, $username_email );

    Best regards,

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.