Index: lib/TWiki.cfg
===================================================================
--- lib/TWiki.cfg	(Revision 7286)
+++ lib/TWiki.cfg	(Arbeitskopie)
@@ -234,6 +234,13 @@
 # passwords.
 $cfg{PasswordManager} = 'TWiki::Users::HtPasswdUser';
 
+# **BOOLEAN**
+# Users who forgot their passwords can have it reset to a random password which
+# is mailed to them.  This can be a security problem if user's mail addresses
+# are writeable by all users.  If you set {PasswordResetByAdmin} to a true value
+# then only members of the administrator group can initiate password reset.
+$cfg{PasswordResetByAdmin} = $FALSE;
+
 # **PATH**
 # Path to the file that stores passwords, for the TWiki::Users::HtPasswdUser
 # password manager. You can use the <tt>htpasswd</tt> Apache program to create a new
Index: lib/TWiki/UI/Register.pm
===================================================================
--- lib/TWiki/UI/Register.pm	(Revision 7286)
+++ lib/TWiki/UI/Register.pm	(Arbeitskopie)
@@ -457,7 +457,16 @@
                 params => $TWiki::cfg{UsersWebName}.'.'.
                 $TWiki::cfg{SuperAdminGroup} );
         }
-    } else {
+    } elsif ( $TWiki::cfg{PasswordResetByAdmin}  and
+              not ($session->{user}->isAdmin()) ) {
+        # Single user, but password reset has been restricted
+        throw TWiki::OopsException
+            ( 'accessdenied', def => 'only_group',
+              web => $web, topic => $topic,
+              params => $TWiki::cfg{UsersWebName}.'.'.
+              $TWiki::cfg{SuperAdminGroup} );
+    }
+    else {
         # Anyone can reset a single password - important because by definition
         # the user cannot authenticate
         # Note that the passwd script must NOT authenticate!