Ticket #54481: 54481-v1.patch.txt

diff -ur wordpress-582-orig/wp-admin/includes/class-wp-users-list-table.php wordpress/wp-admin/includes/class-wp-users-list-table.php
--- wordpress-582-orig/wp-admin/includes/class-wp-users-list-table.php  2021-06-08 17:21:57.000000000 -0500
+++ wordpress/wp-admin/includes/class-wp-users-list-table.php   2021-11-23 11:25:41.881266000 -0600
@@ -476,7 +476,7 @@
                        }
 
                        // Add a link to send the user a reset password link by email.
-                       if ( get_current_user_id() !== $user_object->ID && current_user_can( 'edit_user', $user_object->ID ) ) {
+                       if ( get_current_user_id() !== $user_object->ID && current_user_can( 'edit_user', $user_object->ID ) && is_password_reset_allowed( $user_object->ID ) ) {
                                $actions['resetpassword'] = "<a class='resetpassword' href='" . wp_nonce_url( "users.php?action=resetpassword&amp;users=$user_object->ID", 'bulk-users' ) . "'>" . __( 'Send password reset' ) . '</a>';
                        }
 
diff -ur wordpress-582-orig/wp-admin/user-edit.php wordpress/wp-admin/user-edit.php
--- wordpress-582-orig/wp-admin/user-edit.php   2021-06-07 18:49:58.000000000 -0500
+++ wordpress/wp-admin/user-edit.php    2021-11-23 11:28:22.566202900 -0600
@@ -672,7 +672,7 @@
 
                <?php
                // Allow admins to send reset password link.
-               if ( ! IS_PROFILE_PAGE ) :
+               if ( ( ! IS_PROFILE_PAGE ) && is_password_reset_allowed( $profileuser->ID ) ) :
                        ?>
        <tr class="user-generate-reset-link-wrap hide-if-no-js">
                <th><?php _e( 'Password Reset' ); ?></th>
diff -ur wordpress-582-orig/wp-includes/user.php wordpress/wp-includes/user.php
--- wordpress-582-orig/wp-includes/user.php     2021-07-12 19:07:59.000000000 -0500
+++ wordpress/wp-includes/user.php      2021-11-23 11:15:14.813439300 -0600
@@ -2501,6 +2501,31 @@
        return apply_filters( 'password_hint', $hint );
 }
 
+/** Returns whether to allow a password to be reset.
+ *
+ * @since 6.0.0
+ *
+ * @param WP_User $user User to retrieve password reset key for.
+ * @return bool True if password reset is allowed, false if not allowed.
+ */
+function is_password_reset_allowed( $user ) {
+       $allow = true;
+       if ( is_multisite() && is_user_spammy( $user ) ) {
+               $allow = false;
+       }
+
+       /**
+        * Filters whether to allow a password to be reset.
+        *
+        * @since 2.7.0
+        *
+        * @param bool $allow Whether to allow the password to be reset. Default true.
+        * @param int  $ID    The ID of the user attempting to reset a password.
+        */
+       $allow = apply_filters( 'allow_password_reset', $allow, $user->ID );
+       return $allow;
+}
+
 /**
  * Creates, stores, then returns a password reset key for user.
  *
@@ -2539,25 +2564,8 @@
         */
        do_action( 'retrieve_password', $user->user_login );
 
-       $allow = true;
-       if ( is_multisite() && is_user_spammy( $user ) ) {
-               $allow = false;
-       }
-
-       /**
-        * Filters whether to allow a password to be reset.
-        *
-        * @since 2.7.0
-        *
-        * @param bool $allow Whether to allow the password to be reset. Default true.
-        * @param int  $ID    The ID of the user attempting to reset a password.
-        */
-       $allow = apply_filters( 'allow_password_reset', $allow, $user->ID );
-
-       if ( ! $allow ) {
+       if ( ! is_password_reset_allowed( $user ) ) {
                return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
-       } elseif ( is_wp_error( $allow ) ) {
-               return $allow;
        }
 
        // Generate something random for a password reset key.