Page MenuHomePhabricator
Create Task
Maniphest T32412

RT password reset function broken (sends mail w/ blank passwd)
Closed, DeclinedPublic
Actions

Description

RT has no password recovery system, making it impossible to figure out if you have an account or what your password is if everybody thinks you have an account and says you should be able to look at something in there but it turns out you don't have an account.

This is a transparency problem in general, but it's pretty aggravating within the company as well -- had to ask around for a while before found Ben who thinks he can set me up an account.

Version: unspecified
Severity: normal
URL: http://rt.wikimedia.org/
See Also:
https://rt.wikimedia.org/Ticket/Display.html?id=5408

Details

Reference
bz30412

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 11:55 PM
bzimport added a project: WMF-General-or-Unknown.
bzimport set Reference to bz30412.
bzimport added a subscriber: Unknown Object (MLST).
brion created this task.Aug 16 2011, 9:10 PM
MarkAHershberger added a comment.Aug 17 2011, 1:56 AM

I have a friend who just started working for Best Practical. Maybe he can give us some help.

bzimport added a comment.Aug 17 2011, 4:25 PM

jason.a.may wrote:

Hi Brion,

The RT extension RT::Extension::ResetPassword may suit your needs:
https://metacpan.org/release/RT-Extension-ResetPassword

Also, the bug tracker for RT can be found here:
http://www.bestpractical.com/rt/issues.html

Thanks,
Jason

brion added a comment.Nov 8 2011, 7:28 PM

So..... I could use this feature again, it seems.

brion added a comment.Nov 8 2011, 7:58 PM

Ryan suggests that RT should be hooked up to LDAP (cf bug 30414 -- but probably switch it over to the Labs LDAP?) which could obviate the need for a separate pass reset for RT specifically.

brion added a comment.Dec 5 2011, 7:33 PM

Still waiting on this. Ryan Lane says he has no admin access on RT to do password resets manually; Mark referred me to CT.

brion added a comment.Dec 5 2011, 7:40 PM

Adding CT, Ryan, and Mark as CCs.

Dzahn added a comment.Dec 6 2011, 1:35 PM

Brion, i have reset your RT password manually and sent it to you via gpg encrypted mail. Used one of your keys i found on a keyserver, tell me if that doesn't work.

Platonides added a comment.Mar 6 2013, 2:19 PM

You *can* reset your password:
https://rt.wikimedia.org/NoAuth/ResetPassword/Request.html

(perhaps it was added in a rt update)

ArielGlenn added a comment.Feb 13 2014, 9:04 AM

The extension that provides that functionality is https://github.com/bestpractical/rt-extension-resetpassword and it needs to be packaged and installed (as well as tested with the new version of RT).

There's another approach to password resets here: http://requesttracker.wikia.com/wiki/PasswordReset
and implemented here: https://gerrit.wikimedia.org/r/#/c/71719/3
but this is not currently functional, since it's intended for 'external' (non privileged) users only. I could comment out the lines that make that check, but I'd prefer to go with the other extension because of how password resets are handled.

In the extension on github, the user requests a password reset by providing their email address, is sent a url with a token, and after following that url, enters the new password which is then validated and saved. This I believe is what was installed previously, at least it has the path referenced in comment 8.

In the wikia code, the user requests a password reset the same way but RT immediately sets the password to a random string and emails the user with that password.

I like the second approach less, since it permits someone other than the user to actually change the password (even though the user is notified of the change), and the password is sent via plaintext email. Neither of those things excite me very much.

ArielGlenn added a comment.Feb 13 2014, 9:06 AM

Err, the wikia extension is intended for internal (privileged) users only, I meant to say.

Nikerabbit added a comment.Sep 2 2014, 10:25 AM

I'm also getting blank password and hence I can't see the linked ticket ;)

Krenair added a comment.Dec 18 2014, 7:50 PM

I'm guessing this is declined given that RT is going?

Aklapper merged tasks: Restricted Task, Restricted Task, Restricted Task, T80320: RT - (re-)enable password reset feature.Dec 18 2014, 10:46 PM
Aklapper added a project: acl*sre-team.
Aklapper set Security to None.
Aklapper subscribed.
jeremyb edited projects, added ops-core; removed acl*sre-team.Dec 19 2014, 4:03 AM
Aklapper added a subscriber: BBlack.Dec 20 2014, 9:34 PM
Dzahn added a comment.Feb 25 2015, 12:02 AM

declining this because we stopped using RT

Dzahn closed this task as Declined.Feb 25 2015, 12:02 AM
Dzahn claimed this task.
Dzahn mentioned this in T80320: RT - (re-)enable password reset feature.Apr 20 2016, 8:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL