Page MenuHomePhabricator
Create Task
Maniphest T100556

Password reset function should error on blocked accounts if $wgBlockDisablesLogin
Open, MediumPublic
Actions

Description

On private wikis (where wgBlockDisablesLogin is enabled), blocked users should not receive password reset emails when requested for their username. If they cannot access the content, there's no need to send the password.

Similar task: T54453, though that is more of a blanket eradication of watchlist notifications for the same users.

Related Objects

Event Timeline

Rjd0060 created this task.May 27 2015, 8:04 PM
Rjd0060 raised the priority of this task from to Needs Triage.
Rjd0060 updated the task description. (Show Details)
Rjd0060 added projects: MediaWiki-Core-AuthManager, MediaWiki-User-management.
Rjd0060 added subscribers: Rjd0060, Krenair, MZMcBride.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2015, 8:04 PM
Krenair renamed this task from Password reset emails should not be sent to blocked accounts on private wikis to Password reset emails should not be sent to blocked accounts if $wgBlockDisablesLogin.EditedMay 27 2015, 9:30 PM
Krenair set Security to None.
Krenair added a subscriber: csteipp.

Hmmm. So we'd return an error saying that the account is blocked? It looks like we already expose account existence, so OK...
What are we going to do about email address-based password reset?

Krenair renamed this task from Password reset emails should not be sent to blocked accounts if $wgBlockDisablesLogin to Password reset function should error on blocked accounts if $wgBlockDisablesLogin.May 27 2015, 9:31 PM
csteipp added a comment.May 28 2015, 12:41 AM
In T100556#1315784, @Krenair wrote:

Hmmm. So we'd return an error saying that the account is blocked? It looks like we already expose account existence, so OK...

We return the block information in the user query api, so we already make that public.

What are we going to do about email address-based password reset?

I think we should take blocked users off the list of users who email matches the reset request. If no unblocked accounts are still in the list, then the resetting user gets the standard response that no user accounts have that email.

Krenair added a comment.May 28 2015, 12:45 AM
In T100556#1316300, @csteipp wrote:
In T100556#1315784, @Krenair wrote:

Hmmm. So we'd return an error saying that the account is blocked? It looks like we already expose account existence, so OK...

We return the block information in the user query api, so we already make that public.

We expose the user query API on private wikis to logged out users? That's not what I was thinking of.

What are we going to do about email address-based password reset?

I think we should take blocked users off the list of users who email matches the reset request. If no unblocked accounts are still in the list, then the resetting user gets the standard response that no user accounts have that email.

I don't think we actually provide such an error? When I try resetting for completely nonsense email addresses (e.g. DoesNotActuallyExist@wikimedia.org), it pretends that it's sent an email.

Rjd0060 added a comment.May 28 2015, 1:02 AM

What are we going to do about email address-based password reset?

I think we should take blocked users off the list of users who email matches the reset request. If no unblocked accounts are still in the list, then the resetting user gets the standard response that no user accounts have that email.

I don't think we actually provide such an error? When I try resetting for completely nonsense email addresses (e.g. DoesNotActuallyExist@wikimedia.org), it pretends that it's sent an email.

What's wrong with that? (My opinion is nothing - it also helps alleviate some of the other concern about being able to find out which accounts exist on the private wiki)

Xauroflaux triaged this task as Medium priority.Apr 11 2017, 11:21 AM
Krinkle moved this task from Backlog to User blocking on the MediaWiki-User-management board.May 7 2017, 11:40 PM
DannyS712 edited projects, added MediaWiki-Blocks; removed MediaWiki-User-management.Apr 25 2020, 12:13 AM
Restricted Application added a project: MediaWiki-User-management. · View Herald TranscriptApr 25 2020, 12:13 AM
JJMC89 removed a project: MediaWiki-User-management.Apr 25 2020, 6:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL