During development of OpenID I noticed the following:
when logged-in user (no matter, by which method) goes to Special:PasswordReset, they see an input field for entering their username. This does not make sense.
There are these drawbacks:
- users need to type their name (efforts and risk of typos)
- evil users can trigger sending a new password to an arbitrary users
I cannot imagine any other purpose for PasswortReset than the user X wants to send a new passwort to user X (as mentioned "user" is - implictly - a logged persona).
I propose the following change in Special:PasswordReset
if "user" than PaswortReset shows
- the own username in the Username field
- this field set to readonly=readonly
- the onSubmit callback sanitzing the return parameters and checking wether the correct name comes back
- then mailing the temporary password to user(username)
I also need (for OpenID) a clean way of internally sending directly a temporary password to logged-in user (without the form).
Version: unspecified
Severity: enhancement
URL: http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/specials/SpecialPasswordReset.php
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=20185
https://bugzilla.wikimedia.org/show_bug.cgi?id=29027
https://bugzilla.wikimedia.org/show_bug.cgi?id=30636