Page MenuHomePhabricator
Create Task
Maniphest T35997

SpecialPasswordReset does not always has the correct returnto= page on the login / create account portlet and returns to SpecialPasswortReset instead to Main page
Closed, ResolvedPublic
Actions

Description

I'll try to describe this reproducible problem, it's difficult to describe but perhaps someone of you has seen this problem also.

When users have requested a temporary password through Special:PasswortReset and

  • come back to the wiki
  • and then click onto the Special:Login link (portlet) in order to get the password page, I noticed (the problem:) that often this portlet has a wrong value and after entering the temporary pw and the new password twice, the wiki shows again the Special:PasswordReset page instead of going to the Main page.

Perhaps a new RequestContext should be set, but I do not know, how this can be done at that moment.

When doing a passwort reset (enter the temporary password and twice a different, new password) on

/index.php?title=Special:UserLogin&returnto=Special%3APasswordReset

the Create Account/Login portlet has incorrectly

/index.php?title=Special:UserLogin&returnto=Special%3APasswordReset

instead of

/index.php?title=Special:UserLogin&returnto=Main+Page

Version: 1.20.x
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=57098

Details

Reference
bz33997

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:09 AM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz33997.
bzimport added a subscriber: Unknown Object (MLST).
Wikinaut created this task.Jan 27 2012, 9:46 PM
bzimport added a comment.Feb 11 2012, 12:53 PM

ashishmittal.mail wrote:

Hello,

I would like to solve this bug.

As per my understanding, generally after the user login, the page is redirected back to the page user was originally on due to the parameter 'returnto' of the $request object (WebRequest).
Since in this case, the user was on 'PasswordRequest' page, he would be redirected to the same page again. Hence in this case, we might need to explicitly set the parameter to the 'main-page'. Hence it would be a code addition somewhere in the PasswordReset page for setting the value of some parameter to 'main-page' which would reflect in $request['returnto']

Kindly suggest if I am on the right track and guide.

Thanks,
Aashish

Wikinaut added a comment.Feb 11 2012, 1:21 PM

(In reply to comment #1)

As per my understanding, generally after the user login, the page is redirected
back to the page user was originally on due to the parameter 'returnto' of the
$request object (WebRequest).
Since in this case, the user was on 'PasswordRequest' page, he would be
redirected to the same page again. Hence in this case, we might need to
explicitly set the parameter to the 'main-page'. Hence it would be a code
addition somewhere in the PasswordReset page for setting the value of some
parameter to 'main-page' which would reflect in $request['returnto']

Aashish

I think, I need to give a detailed analysis. Allow me to use some "bold" words to point to the differences.

There is _no_ problem for this case I:

  • you or someone else has triggered to have the password "reset" mail sent to you from the Special:PasswordReset page
  • you go to your mail client
  • you click on the link in your mail - the link goes to https://server/phase3/index.php/Main_Page
  • you come to the newly rendered Main page
  • where you now click onto login
  • enter your temporary password, and 2x the new one

Okay

The problem is visible in this scenario case II:

  • you or someone else has triggered to have the password "reset" mail sent to you from the Special:PasswordReset page
  • (X) you LEAVE THIS browser page as it stands (saying something like "a temporary password has been successfully mailed to ...")
  • you goto to your mail
  • you DO NOT click on the link in your mail (the link goes to https://server/phase3/index.php/Main_Page)
  • you switch to your still-opened browser window with the unchanged page of step (X)
  • where you now click onto login link (THIS LINK HAS THE WRONG returnto https://server/phase3/index.php?title=Special:UserLogin&returnto=Special%3APasswordReset because the page was not rendered again, still stands at (X) )
  • enter your temporary password, and 2x the new one

Problem: now your are again at "Special:PasswordReset" , which is correct behaviour of the Wiki software, but not what a user wants.

bzimport added a comment.Feb 11 2012, 7:23 PM

ashishmittal.mail wrote:

changes to SpecialUserLogin to return to Main_Page after a password change

Hello,

Thanks for the detailed explanation. I reproduced the second scenario and was able to figure out the following solutions for it:

  1. Modification of SpecialUserLogin to check if the returntitle is PasswordReset. If yes, make the returnto empty.

The code snippet is:

Do not redirect back to PasswordReset (instead to the Main_Page) after a successful password change

		if( is_object( $returnToTitle ) && $returnToTitle->isSpecial( 'PasswordReset' ) ) {
			$this->mReturnTo = '';
			$this->mReturnToQuery = '';
		}

In this case, the returnto is still set to PasswordReset in the url, but after Login submission, the returnto is made emptied. Similar solution exits for the UserLogout page. In the case of UserLogout, if I manually go to UserLogout and click on Login, the returnto is set to UserLogout. Hence after successful login, the user would be returned to Logout page, but similar code prevents it from going to Logout page.

  1. Second solution is to modify the SkinTemplate to modify the login url itself. In the SkinTemplate, I can check the $wgRequest->getVal('returnto') and if it is set to PasswordReset, I can modify it to Main_Page. This would change the returnto in the $loginurl itself and would be used to return the user back to main page once the user has logged in.

I am attaching a patch for the former, kindly give your review which solution is more suitable and if the code and the output seems fine.

Thanks in advance.

Regards,
Aashish

Attached:

SpecialUserlogin-removed-returnto-for-PasswordReset.diff620 BDownload

Wikinaut added a comment.Feb 11 2012, 11:47 PM

I tried your patch, this appears to work as expected and described.

great. fixed in r111270

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL