XF 2.2 User password edited by other user account

xf 2.2.9
User 1 was banned 6 months ago.
User 2, which come to find out is a second account for user 1, edited the password for user 1. What went wrong and how to correct this so it does not happen again?



Well-known member
Weird. I thought only an admin could edit another user's password. Interested to see what the resolution on this is. I am assuming coldcases is the one you think is a sock for the banned user?


Well-known member
That's easy to explain :)

There was a password reset email sent for the banned account. When you set a new password while logged in with another account, that other account shows up in the change log.

So, no need to be afraid. ;)
If that were the case and he was logged in under user 2, the user log would show user 2 changed user 2 password. Not user 2 changed user 1 password.

Have you checked the permissions of user coldcases - to make sure that haven't inadvertently been given moderator/admin privileges?
I found that "Use inline moderation on threads / posts" had wrong permissions


Well-known member
Please try for yourself:
  1. Create 2 accounts
  2. Ban account1
  3. Logout or open an incognito window and go to /lost-password/
  4. Enter the email address of account1
  5. Login as account2
  6. Visit the password reset link, that you got for account1
  7. Change the password
Result: In the change log for account1 (the banned one) you will see account2 (the one you changed the password with) - exactly what happened on your forum.