Disabling password changes on the console has no effect. One can still send the IQ packet manually to change their password.
I think there is a misunderstanding here that lead to an incorrect fix. The system property "register.password" was being used to specify if users can change their password or not. The system property "xmpp.auth.iqauth" was being used to specify if the old IQ authentication method was available or if SASL should be used instead.
Having said that, the error was that the old IQ auth method also allowed to change password and not only authenticate people. AFAIK, the fix would be to modify IQAuthHandler#passwordReset so that it checks on the system property "register.password" to see if users can change their passwords.
Thanks for the feedback. You wish for me to commit a patch correcting this or can you do it quick?
I just checked in my version of the fix. Let me know if you are ok with it. Tks.
Hehe, I doubt I can challenge your changes! Thanks for the fix.