Page MenuHomePhabricator
Create Task
Maniphest T9031

Don't report that a new password was emailed if no email address was set
Closed, ResolvedPublic
Actions

Description

If an user requests at [[Special:Userlogin]] a new password, the system responds
always with [[MediaWiki:Passwordsent]] ("A new password has been sent to the
e-mail address registered for "$1". Please log in again after you receive it.")
as well a no password is stored in user preferences.

This is very illogical and user complains then via email (ask the OTRS support
teams) that no new password comes.

And believe me... most users don't know if they have entered an email adress at
time of account creating or later.

Solution: Create a new message like "Sorry, for this account no email is stored,
we cannot send you a new password" and check at time of requesting a new password.

Version: unspecified
Severity: minor

Details

Reference
bz7031

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:23 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz7031.
bzimport added a subscriber: Unknown Object (MLST).
Raymond created this task.Aug 16 2006, 5:29 PM
daniel added a comment.Aug 16 2006, 6:02 PM

this would give anons a way to determine if a mail address is stored for a given
user. Not sure how much of a risk that would be though.

bzimport added a comment.Aug 16 2006, 7:26 PM

ayg wrote:

It's already possible to guess based on what the response is to
Special:Emailuser. Of course, they could have always disabled e-mail from other
users, which isn't a possibility here, but the additional information that would
be given for this isn't sufficient to justify the confusion this aims to fix.

daniel added a comment.Aug 16 2006, 7:47 PM

Anons can't use Special:Emailuser. But I also don't see how exposing this info
would be a lot of trouble. I'd like to get some more input on that though - the
current "confusing" behavior feels intentional.

bzimport added a comment.Aug 16 2006, 7:49 PM

ayg wrote:

Anyone who signs up can use Special:Emailuser (provided they give a valid e-mail
address, and why not, it's secret). It should at least say "if that user has
entered a valid e-mail address".

bzimport added a comment.Aug 16 2006, 9:42 PM

ayg wrote:

Proposed patch

It *looks* like brion broke this in r8618. He changed
SpecialUserlogin::mailPasswordInternal to return WikiError on failure, but it
continued to return a string if there was no e-mail provided. Therefore, the
else statement failed to do its job correctly.

Since WikiError.php starts with "Since PHP4 doesn't have exceptions", I'm
guessing it's probably deprecated in favor of MWException, but on inspection it
appears that multiple functions that could be called from all sorts of places
would have to be modified and retested, so I've just had it return a WikiError.
Tested and works correctly on my install.

Attached:

7031a.patch444 BDownload

brion added a comment.Aug 17 2006, 7:29 AM

Applied on r16101

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL