Page MenuHomePhabricator
Create Task
Maniphest T121660

Can't set up new user with emailed password or use email password reset without editmyprivateinfo for */user
Open, LowPublic
Actions

Description

We have removed as many rights as possible from users who are not logged in, i.e. we have set them to false for "*" and "user". After that change, setting up a new user or mailing oneself a new password (forgotten password) doesn't work any longer. I had to re-enable
$wgGroupPermissions['*']['editmyprivateinfo'] = true;
to make it work.
I suspect that the login process is in some sort of limbo until the new password is entered where the user is logged in enough to have validated their password, but not logged-in enough to be able to change their password.
All you get is the no-permissions screen, it's not like the change password screen comes up and fails.

I don't know what he full intention of that permission is. If you are not logged in, there should be no "myprivateinfo" that you could edit, so the permission should not be relevant then. And we want our logged in users (which we put into a "legit" group) to be able to change them, so editmyprivateinfo was true for them all along.

Event Timeline

Tenbergen created this task.Dec 16 2015, 5:16 PM
Tenbergen raised the priority of this task from to Needs Triage.
Tenbergen updated the task description. (Show Details)
Tenbergen subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 16 2015, 5:16 PM
Krenair added projects: MediaWiki-User-login-and-signup, MediaWiki-Core-AuthManager.Dec 16 2015, 5:32 PM
Krenair subscribed.
Aklapper added a comment.Dec 16 2015, 7:54 PM

Hi @Tenbergen, thanks for taking the time to report this!

Which MediaWiki version is this about?

Ciencia_Al_Poder subscribed.Dec 16 2015, 8:05 PM

we have set them to false for "*" and "user"
I had to re-enable $wgGroupPermissions['*']['editmyprivateinfo'] = true;

What if you set $wgGroupPermissions['user']['editmyprivateinfo'] = true; instead of enabling it for * ?

$wgGroupPermissions['*']['editmyprivateinfo'] is false by default and don't cause any problems.

Tenbergen added a comment.Dec 17 2015, 2:06 AM

MediaWiki 1.26.0
PHP 5.4.45 (cgi-fcgi)
MySQL 5.6.26-cll-lve

Tenbergen added a comment.Dec 17 2015, 8:55 PM

Ciencia_Al_Poder: I just tested this and you are right in that this works if I set
$wgGroupPermissions['user']['editmyprivateinfo'] = true; (instead of *).
I unset all user rights because I wanted to cut out all who have an account that is not "legit". So, giving the right to "user" is better than giving it to "*", but I am still wondering why anyone other than the ones we still want onboard need rights to this.

Having said that, I don't know enough about the details of these permissions to provide a specific concern. It just seemed odd to me that the password change would happen at a state before the user is logged in. If those who know more about these permissions don't see a hole with it I am fully prepared to let it go.

Aklapper triaged this task as Low priority.Feb 27 2016, 9:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL