Page MenuHomePhabricator
Create Task
Maniphest T54839

24 hour Reset password email lock should not be set if sending the email failed
Open, LowPublicFeature
Actions

Description

Author: steven.spark+dev

Description:
Hi everyone!

We had some problem with our SMTP server, so after registering a new user an error message appeared "Error sending mail: failed to receive" (might not be the exact phrase). Tried an other user password reminder (reset) (which failed also).
Now the SMTP is fixed, but I cannot re-send the registration, or request password reset for these users, because:
"A password reset email has already been sent, within the last 24 hours. To prevent abuse, only one password reset email will be sent per 24 hours."

No! it was not sent, it tried to send it and failed (which it showed in an error message).

Bug 1: Email lock should not be set if sending the email failed.

Even when I log in as admin, and request a reset the same message is displayed. (Actually the first one was in Hungarian "Már elküldtünk egy jelszóemlékeztetőt az utóbbi 24 órában. A visszaélések elkerülése végett 24 óránként csak egy jelszó-emlékeztetőt küldünk.")

Bug 2: Admins should be allowed to request password resets without any lockouts (be throttled).

Sorry if I should have created separate bug reports, or made some other mistake.

Additional details that might help:
message id: 'throttled-mailpassword' in languages\messages\MessagesEn.php
(and probably 'mailerror')

Now I'm trying to remove the lock in sql, reconfigure lockout period, or remove it temporarily from php...
Good luck to us all!

Version: 1.21.x
Severity: enhancement

Details

Reference
bz52839

Related Objects

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:14 AM
bzimport added a project: MediaWiki-Email.
bzimport set Reference to bz52839.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Aug 14 2013, 11:01 AM
Aklapper added a comment.Aug 14 2013, 12:02 PM

Thanks for taking the time to report this!
I am not sure if this is technically doable.

Sorry if I should have created separate bug reports

Yes, these are two different requests. :)

bzimport added a comment.Jan 9 2014, 4:43 PM

patelmm79 wrote:

This 24 hour reset password lock is a pain. I've had multiple instances in which the end user did not receive the password via mail, but I as an administrator cannot take further actions to provide access in a timely manner. This will tend to erode confidence in the product amongst both administrators and end users. There must be another way to handle password resets in a secure manner...

Aklapper mentioned this in T137016: Allow more than 1 password reset per 24 hours.Jun 6 2016, 9:54 AM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:13 AM
Aklapper removed a subscriber: wikibugs-l-list.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL