Page MenuHomePhabricator

E:OpenID does not accept the temporary password when attaching an OpenID to an existing account.
Closed, ResolvedPublic

Description

Szenario:

  • existing wiki "User" account with a confirmed e-mail address. This account was created earlier via createaccount or createaccount-by-mail, a standard mediawiki account ;
  • User wants to attach their XYZ-OpenID to their account because there is no OpenID yet ; and
  • User has forgotten the password for the wiki User account

User can send a temporary password via Special:PasswordReset to their (previously confirmed) e-mail address.

A password is mandatory when you want to attach an OpenID to an existing account.

Bug:

Current OpenID version do not accept the _temporary_ password when attaching an OpenID to an existing account.

Patch ready.


Version: master
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=57289

Details

Reference
bz57065

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:40 AM
bzimport set Reference to bz57065.

Change 95461 had a related patch set (by Wikinaut) published:
Bug 57065: E:OpenID does not accept temporary password when attaching an OpenID to an existing account

https://gerrit.wikimedia.org/r/95461

I believe the issue with the change password form showing twice is that the first time, the user is partially logged in with their temporary password, and the ChangePassword form writes out the user's edit token into the token hidden field. When the user submits the form (the first time), they are completely logged out, and the edit token on the form doesn't match the anonymous edit token ('+\'). The second time the form is displayed, the anonymous edit token is written into the token field, and the ChangePassword form submission is correctly processed.

(In reply to comment #2)

I believe the issue with the change password form showing twice is that the
first time, the user is partially logged in with their temporary password,
and
the ChangePassword form writes out the user's edit token into the token
hidden
field. When the user submits the form (the first time), they are completely
logged out, and the edit token on the form doesn't match the anonymous edit
token ('+\'). The second time the form is displayed, the anonymous edit token
is written into the token field, and the ChangePassword form submission is
correctly processed.

Chris,

arguendo you are right with your view,

  • why is that then working (usually, showing the page only once) in *normal* MediaWiki context, on - let's say - English Wikipedia, when you come as anon and log-in with your temp.password ?

But perhaps(????) it is related to what I found in https://bugzilla.wikimedia.org/show_bug.cgi?id=57289

solved in verion 4.00 20131122
https://gerrit.wikimedia.org/r/#/c/94977/

currently, the password change page appears twice. This will be tracked in a new bug.

Change 95461 abandoned by Wikinaut:
Bug 57065: does not accept temporary password when attaching OpenID to existing account

Reason:
thsi patch is not needed

https://gerrit.wikimedia.org/r/95461