The last option in /@@security-controlpanel is:
Login user after password reset After successful password reset the user will be logged in automatically.
Even when this option is unchecked (set to False), a user stays logged in after a successful password reset. (using the /@@login-help form).
Actually, according to the _reset_password handler the user should not have been logged in (via a call to _auto_login) ...
Can someone try and confirm? I use Plone 5.2.5. Thanks.
In my policy addon I monkey-patched Products.CMFPlone.browser.login.password_reset.PasswordResetView._reset_password
In my replacement function, after password reset I redirect to a simple logout view.
Automatic logout is required for my use case: I use a separate Plone instance to reset LDAP passwords, because the main web site does not have write access to the LDAP server.
Still, by design it seems that Plone should be logging off the user after a password reset.
Why? I find it natural that the user remains logged in; he can explicitly log out if this is what he wants.
I meant "logging off"...
I get your point, but why there's an option that doesn't work? Look at the code; the intention is to auto-logon only if the option is checked (it is checked by default). It looks like a bug to me; maybe it was never detected because most site admins don't uncheck the option.