Ok, we found the problem. However, I am a little puzzled about the intent. Apparently password recovery is disabled (and issues an "access denied" ) if forum registration is disabled. I am uncertain why one would be unable to recover their password just because registrations aren't allowed for the general public.
Here's the specific bit of code in PageSecurityModel.cs that disallows it:
// handle security features...
switch (ForumPageType)
{
case ForumPages.recoverpassword:
if (PageContext.BoardSettings.DisableRegistrations)
{
//problem code below
YafBuildLink.AccessDenied();
}
break;
default:
if (PageContext.IsPrivate && CurrentForumPage.User == null)
{
// register users only...
CurrentForumPage.RedirectNoAccess();
}
break;
}
So what we did is short circuit this by adding the recover password page reference to the following line:
if (ForumPageType == ForumPages.login || ForumPageType == ForumPages.approve || ForumPageType == ForumPages.logout || ForumPageType == ForumPages.recoverpassword)
{
return;
}