diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 07725a83ed7..bd8427ecc85 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -157,9 +157,12 @@ abstract class AccountForm extends ContentEntityForm implements TrustedCallbackI
];
$form_state->set('user', $account);
- // The user may only change their own password without their current
- // password if they logged in via a one-time login link.
- if (!$form_state->get('user_pass_reset')) {
+ // If logged in via a one-time login link entering a new password is
+ // required and the user does not need to enter their current password.
+ if ($form_state->get('user_pass_reset')) {
+ $form['account']['pass']['#required'] = TRUE;
+ }
+ else {
$form['account']['current_pass']['#description'] = $this->t('Required if you want to change the Email address or the Password field below. Reset your password.', [
':request_new_url' => Url::fromRoute('user.pass')->toString(),
]);
diff --git a/core/modules/user/tests/src/Functional/UserPasswordResetTest.php b/core/modules/user/tests/src/Functional/UserPasswordResetTest.php
index 7ad09f53748..9f1eccf6b1b 100644
--- a/core/modules/user/tests/src/Functional/UserPasswordResetTest.php
+++ b/core/modules/user/tests/src/Functional/UserPasswordResetTest.php
@@ -138,6 +138,10 @@ class UserPasswordResetTest extends BrowserTestBase {
$this->assertSession()->linkExists('Log out');
$this->assertSession()->titleEquals($this->account->getAccountName() . ' | Drupal');
+ // Try to save without entering password.
+ $this->submitForm([], 'Save');
+ $this->assertSession()->pageTextContains('Password field is required.');
+
// Change the forgotten password.
$password = \Drupal::service('password_generator')->generate();
$edit = ['pass[pass1]' => $password, 'pass[pass2]' => $password];