Password reset link is shown when no reset options are available
Closed, ResolvedPublic
Actions

Description

When no password routes are available, the reset password link is still shown on special page UserLogin.

Version
MediaWiki 1.27.1

Reproduce:
Add the following line to LocalSettings.php.

$wgPasswordResetRoutes = array( 'username' => false, 'email' => false );

Problem:
In LoginSignupSpecialPage.php, the return value of PasswordReset.isAllowed() is checked as a boolean, where as it is in fact a StatusValue object, so it is always true. 'isGood()' should be called on the object instead.

Fix:
In LoginSignupSpecialPage.php, apply this patch:

@@ -656,7 +656,7 @@ abstract class LoginSignupSpecialPage extends AuthManagerSpecialPage {
 
 		if ( !$this->isSignup() && $this->showExtraInformation() ) {
 			$passwordReset = new PasswordReset( $this->getConfig(), AuthManager::singleton() );
-			if ( $passwordReset->isAllowed( $this->getUser() ) ) {
+			if ( $passwordReset->isAllowed( $this->getUser() )->isGood() ) {
 				$form->addFooterText( Html::rawElement(
 					'div',
 					[ 'class' => 'mw-ui-vform-field mw-form-related-link-container' ],

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Password reset link is shown when no reset options are available	mediawiki/core	REL1_27	+1 -1
Password reset link is shown when no reset options are available	mediawiki/core	master	+1 -1
Password reset bar removed.	mediawiki/core	master	+1 -1

Customize query in gerrit

Related Objects

Mentioned In: T148662: "Forgot your password?" text is displayed on Login page, even when external auth plugin doesnt allow local password reset

Event Timeline

FHannes created this task.Sep 4 2016, 11:56 PM

Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptSep 4 2016, 11:56 PM

Thanks for taking a look at the code!

You are very welcome to use developer access to submit the proposed code changes as a Git branch directly into Gerrit which makes it easier to review them quickly and provide feedback.
If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!

No problem, I wanted to use developer access, but it seemed a rather lengthy process to set up and my time is fairly constrained at the moment. I did not know about the patch uploader though, thanks for the info.

@FHannes: Do you want to upload your patch with the Patch Uploader? If not, would you be so kind to give an e-mail-address, so I can create a change in gerrit with you as an author? :)

Florian triaged this task as Low priority.Sep 7 2016, 5:05 PM

Florian moved this task from To triage to Passwords/Email on the MediaWiki-Special-pages board.

In T144705#2615471, @Florian wrote:

@FHannes: Do you want to upload your patch with the Patch Uploader? If not, would you be so kind to give an e-mail-address, so I can create a change in gerrit with you as an author? :)

I have tried, but the Patch Uploader throws an exception "no existing author found" for my email address. I'm not sure why exactly it does that, as there are no specific instructions on the page that indicate I'm doing something wrong.

@FHannes: Probably you did not try to upload a patch, but instead just the diff (if you just copied the part of your task description to a file, e.g.). Please see the supported patch formats on the gerrit patch uploader page: https://tools.wmflabs.org/gerrit-patch-uploader/

Allowed patch formats:

git format-patch -M origin/master
git format-patch -1 --stdout HEAD
diff -u file1 file2
git diff
svn diff

In T144705#2625630, @Florian wrote:

@FHannes: Probably you did not try to upload a patch, but instead just the diff (if you just copied the part of your task description to a file, e.g.). Please see the supported patch formats on the gerrit patch uploader page: https://tools.wmflabs.org/gerrit-patch-uploader/

I generated a new patch file with git diff for the master branch of MediaWiki to submit to Gerrit, so I doubt that is the problem.

Srinathnairt claimed this task.Oct 2 2016, 10:23 AM

Srinathnairt removed Srinathnairt as the assignee of this task.Oct 2 2016, 1:51 PM

Srinathnairt subscribed.

amritsreekumar claimed this task.Oct 3 2016, 8:11 AM

Change 313853 had a related patch set uploaded (by Huji):
Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/313853

gerritbot added a project: Patch-For-Review.Oct 3 2016, 6:35 PM

Change 314263 had a related patch set uploaded (by Amritsreekumar):
Password reset bar removed.

https://gerrit.wikimedia.org/r/314263

Change 314263 abandoned by Aklapper:
Password reset bar removed.

Reason:
Thanks a lot for your patch! However, this is a duplicate of https://gerrit.wikimedia.org/r/#/c/313853/ hence I am abandoning this patch. I hope it's not a problem that someone else (Huji) also provided a patch for this problem; there are many many other unresolved bugs that welcome your help to fix them! :)

https://gerrit.wikimedia.org/r/314263

amritsreekumar removed amritsreekumar as the assignee of this task.Oct 6 2016, 5:55 AM

amritsreekumar subscribed.

Aklapper assigned this task to Huji.Oct 6 2016, 6:18 AM

Change 313853 merged by jenkins-bot:
Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/313853

ReleaseTaggerBot added projects: MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-10-11_(1.28.0-wmf.22)).Oct 10 2016, 10:00 PM

Huji closed this task as Resolved.Oct 13 2016, 7:01 PM

Florian mentioned this in T148662: "Forgot your password?" text is displayed on Login page, even when external auth plugin doesnt allow local password reset.Aug 19 2017, 6:00 PM

Change 372767 had a related patch set uploaded (by Florianschmidtwelzow; owner: Huji):
[mediawiki/core@REL1_27] Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/372767

Change 372767 merged by jenkins-bot:
[mediawiki/core@REL1_27] Password reset link is shown when no reset options are available