I am using the EZ Publish CMS:
From the forgot password page, user enters the email address that they used to register and submits
User receives an email with a password generating link which uses a hash to confirm their identity.
User receives an email with a freshly generated password
User returns to site using the link from their email which takes them to a form that asks for the old password (which was just generated and has been sent to their email) and for them to enter a new password.
From the "forgot password" page, user enters the email address that they used to register and submits
User receives an email with a link to the "enter new password" form
On the "enter new password" form, user is not required to enter old password because identity has already been confirmed by hash and therefore only has to enter the new password.
I am using the EZMBPAEX extension which has the original 4 step process. There doesn't seem to be any documentation or discussion about removing the "email the user a new password" step but my client has a very strict no passwords sent by email policy so I can't flex on this.
Does anyone know where I can find documentation on how to edit this functionality?
I think the file that will need to be edited is located in:
/extension/ezmbpaex/modules/userpaex/forgotpassword.php
When I updated the plugin it had the number of steps I wanted.