I found that the right "passwordreset" does not prohibit the view of Special:PasswordReset - what the name suggests - but is a user right to view the Password-Reset-Mail including the temporary password.
This appears to be disabled during installation but can be activated for example by using
allow admins to access view reset e-mails
$wgGroupPermissions['sysop']['passwordreset'] = true;
I suggest to globally change the name of the user permission and related system message keys from
- passwordreset to passwordreset-view-reset-mail
- right-passwordreset to right-passwordreset-view-reset-mail
where it applies to avoid unintended revealing of password-reset-mails and contents in case that WikiSysops misinterprets this setting.
Version: 1.20.x
Severity: minor