From fc55dcd90823d3d798ef1cc757c473e4853da322 Mon Sep 17 00:00:00 2001
From: samyou-softwire <samuel.young@softwire.com>
Date: Mon, 20 Apr 2026 16:33:12 +0100
Subject: [PATCH] CLDC-4330: Use this new flag to determine when to show
 password reset

---
 app/controllers/auth/confirmations_controller.rb | 5 ++++-
 app/controllers/auth/passwords_controller.rb     | 1 +
 app/models/user.rb                               | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/auth/confirmations_controller.rb b/app/controllers/auth/confirmations_controller.rb
index d3f617822..c9586fb73 100644
--- a/app/controllers/auth/confirmations_controller.rb
+++ b/app/controllers/auth/confirmations_controller.rb
@@ -5,7 +5,10 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
     yield resource if block_given?
 
     if resource.errors.empty?
-      if resource.sign_in_count.zero?
+      # previously we reset sign in count to indicate that a user was deactivated and so needs to reset their password on confirming their email post reactivation.
+      # now we have a specific flag for this.
+      # though for backwards compatability we need to ensure previous users with a reset sign in count still will see the password reset screen
+      if resource.reset_password_on_confirmation || resource.sign_in_count.zero?
         token = resource.send(:set_reset_password_token)
         redirect_to "#{edit_user_password_url}?reset_password_token=#{token}&confirmation=true"
       else
diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb
index e4a21675b..7561ab129 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -37,6 +37,7 @@ class Auth::PasswordsController < Devise::PasswordsController
 
     if resource.errors.empty?
       resource.unlock_access! if resource.respond_to?(:unlock_access!)
+      resource.reset_password_on_confirmation = false if resource.reset_password_on_confirmation
       if Devise.sign_in_after_reset_password
         set_flash_message!(:notice, password_update_flash_message)
         resource.after_database_authentication
diff --git a/app/models/user.rb b/app/models/user.rb
index ea8289e53..0ff8f56e2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -179,7 +179,7 @@ class User < ApplicationRecord
     update!(
       active: false,
       confirmed_at: nil,
-      sign_in_count: 0,
+      reset_password_on_confirmation: true,
       initial_confirmation_sent: false,
       reactivate_with_organisation:,
       unconfirmed_email: nil,