Page MenuHomePhabricator

Unable to set new password after using emailed password (= temporary password can only be used once)
Closed, DeclinedPublic

Description

Author: gangleri

Description:
Hi!

Imagine this scenario: You forgot your password and activate: "Mail me a new
password".

You are not able to assigne a new password. NEIGHER by letting "Old password"
empty NOR using the password received by e-mail. (message: The password you
entered is incorrect. Please try again.)

This failed at

IT WORKED at http://en.wikipedia.org/wiki/Special:Userlogin (using the e-mailed
password as "Old password").

Kind regards Reinhardt [[user:gangleri]]


Version: 1.5.x
Severity: major
URL: http://test.leuksman.com/index.php/Special:Userlogin

Details

Reference
bz2126

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 8:26 PM
bzimport set Reference to bz2126.
bzimport added a subscriber: Unknown Object (MLST).

jeluf wrote:

You can't change the password at Special:Userlogin, go to Special:Preferences to
change your password.

zigger wrote:

(In reply to comment #1)
Special:Preferences needs the old password, which is no longer valid after login.

wegge wrote:

(In reply to comment #1)

You can't change the password at Special:Userlogin, go to Special:Preferences to
change your password.

I think Reihardt is referring to the place where the new password is mailed from.

I can confirm the description. The problem is that in order to change the
password in Special:Preferences, the old password must be given. In this case,
the old password is neither blank, nor the one received by mail. It's the one
that was forgotten.

hello all.
here the solution.

In /includes/User.php
function checkpassword()
please comment out the marked line:

  1. use the temporary one-time password only once: clear it now !
  2. $this->mNewpassword = ''; caused bugzilla 2126 - preventing the re-use

of temp passw

$this->saveSettings();

I have introduced the clearance of the temporary password, so that it can be
only used once, but overlooked the side effect which is now reported (that
nobody can use the temp password for a second time, in order to _change_ or set
a new password.)

So, please can someome of the developers comment the one line ?

I think, my basic idea to allow ONLY ONE login with the temporary password was
not bad (but admittedly, it caused the problems mentioned in this bugzilla)

Wikinaut Tom

(amended the title to cover an additional aspect, which was also the reason for
the problem)

wegge wrote:

(In reply to comment #4)

hello all.
here the solution.

In /includes/User.php
function checkpassword()
please comment out the marked line:

Fixed in CVS, please provide a proper patch to address this.

Fixed in CVS, please provide a proper patch to address this.

"costs extra"

wegge wrote:

(In reply to comment #7)

Fixed in CVS, please provide a proper patch to address this.

"costs extra"

We all live to serve :-) What I requested was a patch that adresses this
problem, and does something sensible to correct the problem. I do not need a
patch to place a # at the correct place.