I was able to track it down a bit:
- After resetting a password I can see the
__acCookie is changed. - When disabling the
acl_users.userFolderEditUser()in https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/controlpanel/browser/usergroups_usersoverview.py#L187, the user is not changed - When resetting the password for multiple users, the last user in the list is getting active.
But I couldn't find the part which is actually switching the user.
@jensens, @mauritsvanrees can you take a look at this?
EDIT (I had to edit since only 3 replies are allowed)
I found it: https://github.com/plone/Products.PlonePAS/commit/56470e67248608c57572bfb361f4e1b80bb9cd1b
The notify(CredentialsUpdated(self.getUserById(principal_id), password)) at the end triggers a _setupSession() which calls the _setCookie() which at the end set the new cookie, but with the userid from the selected user, not the current user.
EDIT 2
Issue created: https://github.com/plone/Products.PlonePAS/issues/57
EDIT 3
The good thing is: it is not possible to reset the password of a user with Manager role when one is a Site Administrator only. So one can not switch to a user with more permissions.