[SOLVED] "Manually" craft 'reset password url

espenmn · March 4, 2026, 2:54pm

From one Plone site I need to send an email about resetting the password on another Plone site.

Is it possible to ‘craft a URL that fill in the username?

Something like othersite .com/passwordreset?userid=some@email.com .

If I remember right, this was possible in Plone 5, but in Plone 6 I get ‘Error setting password, invalid Request.

UPDATE: For now, I am using API to craft it by( is that ok):

        portal = api.portal.get()

        registration = getToolByName(portal, 'portal_registration')

# Generate the reset token — same one Plone uses internally

token = registration.generateResetCode(userid) # Plone 4 style

# OR for Plone 5/6:

pas_reset = getToolByName(portal, 'portal_password_reset')

reset_info = pas_reset.requestReset(userid)

token = reset_info['randomstring']

portal_url = portal.absolute_url()

reset_url = f"{portal_url}/passwordreset/{token}?userid={userid}"

davisagli · March 4, 2026, 5:21pm

I don’t expect that will work. requestReset stores the request in the ZODB, so it won’t be there in the other site when it tries to validate the token.

There’s a good reason it’s not possible to do this without a token. It would be a security problem if unauthenticated users could reset any user’s password by knowing only the username.

espenmn · March 4, 2026, 5:56pm

For ‘both sites’ I am able to generate a token and send an email, probably the same way Plone does. (by using api on the other site). The ‘problem’ is that I would prefer the ‘reset password link’ to include the username. Maybe this is unwise from a security perspective (if so, I will tell my customer).

What they want is:

Users are imported on site A from an Excel file (works now)
Users from A can be added to any project (which would be ‘Site B‘ or site C’ etc
Site A then connects to site B, and add a user with ‘the same info’.
User is sent an email (currently from site A since I use a template that can be edited there)
The user gets an email with ‘set your password’.
Now, the user needs to ‘type the userid’ to set the password (first time).
I would prefer that they dont have to type the password, especially if it is ‘unique ids’. (yes, I know they can copy/paste, but my customer sees it differently).

In other words: I now manage to generate the link and put it in the email ( https:/ /somesite .org/passwordreset/8771e1ed06f24a92a3572c5a8d3c192b?userid=name=longstringhere which works, but they have to ‘input’ longstringhere in the form

davisagli · March 4, 2026, 6:19pm

I see. I think you would need to customize Products.CMFPlone/src/Products/CMFPlone/browser/login/templates/pwreset_form.pt at master · plone/Products.CMFPlone · GitHub so that the userid input uses the value from the request param.

espenmn · March 5, 2026, 11:22am

Thanks.

Works ( jbot and /overrides/Products.CMFPlone.browser.login.templates.pwreset_form.pt

With

    <input class="form-control" name="userid" required id="userid"  tal:attributes="value request/userid | nothing" />