Password Reset Button Showing

Relevant section of code is here : https://plugins.trac.www.ads-software.com/browser/wpdirauth/trunk/wpDirAuth.php#L2207

It uses the filter show_password_fields to hide the password change fields and change the password reset message. And it uses the filter allow_password_reset to disallow a user marked as a dirAuth user to change their password. I don’t see any mention of changes with those two filters in the docs. The second one relies on wpDirAuthFlag being set to 1 in the user’s metadata. That same flag should be preventing them and you from resetting the password. Can you query your database for a known dirAuth user and look to see if that flag is set in their metadata?

wpDirAuthFlag is definitely set to one. I wonder if there’s another plugin stepping on this. I’ll look around and see what I have activated.

[ … ]

I’m running this on two multisite blogs, and I get the same problem with both of them. The simpler one has only a dozen or so network-activated plugins.

So I tried de-activating everything. First all the network-activated plugins (except for this one); then all the activated plugins on the home blog. I still see the reset-password button.

a couple of follow-up questions: if they attempt to reset their password in the profile area, does it succeed or do they get an error? If it succeeds, if they log out, can they log back in with the new password (ie bypassing directory authentication)?

Sorry for the delayed response, but in answer to the question:

I reset my password in the profile page, using the recommended strong password.

When I logged out and tried to log back in with the new password, it failed; when I entered the original (Active Directory) password it succeeded. So it doesn’t appear to be bypassing directory authentication

so that’s good that it’s still enforcing AD authentication.

I grabbed the code and stripped it down to verify the sections of code I linked above are working properly on my test site, and so far, it’s removing the password reset option in the profile area AND it prevents me from trying to change my password from the login screen.

The only difference is that you mentioned your site is a multisite and my testing site is a single site. Let me set up a mutlisite and see if I can replicate this issue.

ok, converted my personal site into a multisite and tried the same thing: attempting to use the password reset from the login screen for a user that has the dirAuthFlag set to 1 results in an error that it can’t reset the password. If I log in and look at my profile, the password reset options are removed and replaced with the Directory Password Update heading and message as configured in the options.

By chance do you have any must-use plugins installed or any other plugins that deal with logging in, authentication, user profiles, etc?

Same thing if I try to edit a user’s profile as a Super-Admin: password reset fields are replaced with the Directory Auth message about not being able to change the password.

I’m using “User Role Editor,” https://www.ads-software.com/plugins/user-role-editor/ , to create custom permission sets.

I dont see anything immediately in the code that should conflict, but that doesn’t mean this isn’t the root issue. I added the plugin and network activated it, and I’m still not seeing the password fields in either my own profile or if i go to edit a user’s profile.

There *is* a “send password reset button if you’re a super-admin and are editing a user’s profile, but that does not show up for the user if they go to their profile.

I haven’t created any new roles though since I’m not sure what settings you have or haven’t enabled.

Do you have a dev/staging environment where you can temporarily disable that plugin to see if it’s causing the conflict?

I have two multi-user sites that are running both plugins. I disabled User Role Editor in one of them, but it didn’t make any difference. I still saw the Set New Password button.

I’m stumped at this point as I can’t recreate it. The only difference I can think of is my sites are all on v6.2.2 of WordPress since 6.3 isn’t available via johnpbloch/wordpress yet.

What version of WordPress are those sites on? I have one still on 5.9 I just tested but couldn’t replicate the issue there either.

ah-ha! found it!
as of version 6.0 of WordPress, the global variable $profileuser was removed. so in the function at line 1189, it was using a null value when trying to check to see if the current user is an ldap-authenticated user, and therefore always returning?true (ie showing the password reset button).

at line 1191, change
global $profileuser, $userdata;
to
global $user_id, $userdata;

then at line 1193, change
$editUserIsDirUser = get_user_meta($profileuser->ID, 'wpDirAuthFlag',true);
to
$editUserIsDirUser = get_user_meta($user_id, 'wpDirAuthFlag',true);

and finally, change line 1211 from
if ($userdata->ID == $profileuser->ID) {
to
if ($userdata->ID === $user_id) {

And see if that fixes it?

Big shout-out and gratitude to @silsbyc for the assistance!

v1.10.6 released with the above fixes. Going to go ahead and mark this as resolved.

Looks good, thanks!