Actual Behavior

Reset password does not work properly.
If someone makes a reset password request, request works and "passwordResetTokenEmailsSent" goes up to 3.
Even 48h after, passwordResetTokenEmailsSent stays at 3, so reset emails are not sent.
BUT, this number is never reset to 0, even if time interval (24h) is done.

Expected Behavior

passwordResetTokenEmailsSent should reset to 0 if a new request is made after 24h interval.

Steps to Reproduce

In admin login form :

• Forgot password
• Fill email/user
• request password x>3 times

You should receive max 3 emails.

In database :

• Change value of passwordResetTokenExpiresAt : substract some days/months so expiresAt < Now DateTime

In admin login form :

• Request password

You should not receive emails, because, when requesting, it generates a new token that expires in 24h BEFORE checking if your passwordResetTokenEmailsSent and passwordResetTokenExpiresAt. Then it checks theses 2 values.
Of course, your newly generated token expires in 24h and your passwordResetTokenEmailsSent is still at 3, so you will not receive any email.

Possible Solutions

In \Sulu\Bundle\SecurityBundle\Controller\ResettingController::sendEmailAction , calling
$token = $this->generateTokenForUser($user);
then
$this->sendTokenEmail($user, $this->getSenderAddress($request), $email, $token);

Conditions are verified in \Sulu\Bundle\SecurityBundle\Controller\ResettingController::sendTokenEmail.

These conditions should be verified in generateTokenForUser and not in sendTokenEmail as generateTokenForUser updates values of the conditions and makes it irrelevant.