What if the call to _validate_pass_reset moved into res.users action_reset_password instead? That would remove the need for this copy pasta.

It might be necessary to check to see if the request.uid is the admin user, to allow for bulk password resets that ignore this setting.

In commit 8a5ead9 I moved _validate_pass_reset into action_reset_password. It seems working fine to me. Would you also give it a look?

This active user check seems redundant with

https://github.com/odoo/odoo/blob/991d1c430f2c9bb0d2b2d7ac8f75338eafd2aced/addons/auth_signup/models/res_users.py#L166-L167

but maybe it is handling a case where a module could create an inactive user?

Good catch on the install_mode check. Maybe also add something like

if self.env.uid == SUPERUSER_ID:

as I just got Passwords can only be reset every 24 hour(s). Please contact an administrator for assistance. while logged in as admin. 😆

Edit: Steps to reproduce as admin on a brand new instance with --init=password_security:

1. Home Menu > Settings
2. Users & Companies > Users
3. Check Administrator
4. Action > Send Password Reset Instructions
5. Error

The check on active is redundant but I made it on purpose, so that in case an user is inactive, this standard error will be always raised, instead of the eventual _validate_pass_reset.

I just added the SUPERUSER_ID check.