Page MenuHomePhabricator

Password reset link is shown when no reset options are available
Closed, ResolvedPublic

Description

When no password routes are available, the reset password link is still shown on special page UserLogin.

Version
MediaWiki 1.27.1

Reproduce:
Add the following line to LocalSettings.php.

$wgPasswordResetRoutes = array( 'username' => false, 'email' => false );

Problem:
In LoginSignupSpecialPage.php, the return value of PasswordReset.isAllowed() is checked as a boolean, where as it is in fact a StatusValue object, so it is always true. 'isGood()' should be called on the object instead.

Fix:
In LoginSignupSpecialPage.php, apply this patch:

@@ -656,7 +656,7 @@ abstract class LoginSignupSpecialPage extends AuthManagerSpecialPage {
 
 		if ( !$this->isSignup() && $this->showExtraInformation() ) {
 			$passwordReset = new PasswordReset( $this->getConfig(), AuthManager::singleton() );
-			if ( $passwordReset->isAllowed( $this->getUser() ) ) {
+			if ( $passwordReset->isAllowed( $this->getUser() )->isGood() ) {
 				$form->addFooterText( Html::rawElement(
 					'div',
 					[ 'class' => 'mw-ui-vform-field mw-form-related-link-container' ],

Event Timeline

FHannes created this task.Sep 4 2016, 11:56 PM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptSep 4 2016, 11:56 PM
Aklapper renamed this task from Password reset link is shown when no erset options are available to Password reset link is shown when no reset options are available.Sep 5 2016, 12:35 AM

Thanks for taking a look at the code!

You are very welcome to use developer access to submit the proposed code changes as a Git branch directly into Gerrit which makes it easier to review them quickly and provide feedback.
If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!

No problem, I wanted to use developer access, but it seemed a rather lengthy process to set up and my time is fairly constrained at the moment. I did not know about the patch uploader though, thanks for the info.

Florian added a subscriber: Florian.Sep 7 2016, 5:04 PM

@FHannes: Do you want to upload your patch with the Patch Uploader? If not, would you be so kind to give an e-mail-address, so I can create a change in gerrit with you as an author? :)

Florian triaged this task as Low priority.Sep 7 2016, 5:05 PM
Florian moved this task from To triage to Passwords/Email on the MediaWiki-Special-pages board.

@FHannes: Do you want to upload your patch with the Patch Uploader? If not, would you be so kind to give an e-mail-address, so I can create a change in gerrit with you as an author? :)

I have tried, but the Patch Uploader throws an exception "no existing author found" for my email address. I'm not sure why exactly it does that, as there are no specific instructions on the page that indicate I'm doing something wrong.

@FHannes: Probably you did not try to upload a patch, but instead just the diff (if you just copied the part of your task description to a file, e.g.). Please see the supported patch formats on the gerrit patch uploader page: https://tools.wmflabs.org/gerrit-patch-uploader/

Allowed patch formats:

git format-patch -M origin/master
git format-patch -1 --stdout HEAD
diff -u file1 file2
git diff
svn diff

@FHannes: Probably you did not try to upload a patch, but instead just the diff (if you just copied the part of your task description to a file, e.g.). Please see the supported patch formats on the gerrit patch uploader page: https://tools.wmflabs.org/gerrit-patch-uploader/

I generated a new patch file with git diff for the master branch of MediaWiki to submit to Gerrit, so I doubt that is the problem.

Srinathnairt removed Srinathnairt as the assignee of this task.Oct 2 2016, 1:51 PM
Srinathnairt added a subscriber: Srinathnairt.

Change 313853 had a related patch set uploaded (by Huji):
Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/313853

Change 314263 had a related patch set uploaded (by Amritsreekumar):
Password reset bar removed.

https://gerrit.wikimedia.org/r/314263

Change 314263 abandoned by Aklapper:
Password reset bar removed.

Reason:
Thanks a lot for your patch! However, this is a duplicate of https://gerrit.wikimedia.org/r/#/c/313853/ hence I am abandoning this patch. I hope it's not a problem that someone else (Huji) also provided a patch for this problem; there are many many other unresolved bugs that welcome your help to fix them! :)

https://gerrit.wikimedia.org/r/314263

amritsreekumar removed amritsreekumar as the assignee of this task.Oct 6 2016, 5:55 AM
amritsreekumar added a subscriber: amritsreekumar.
Aklapper assigned this task to Huji.Oct 6 2016, 6:18 AM

Change 313853 merged by jenkins-bot:
Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/313853

Huji closed this task as Resolved.Oct 13 2016, 7:01 PM

Change 372767 had a related patch set uploaded (by Florianschmidtwelzow; owner: Huji):
[mediawiki/core@REL1_27] Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/372767

Change 372767 merged by jenkins-bot:
[mediawiki/core@REL1_27] Password reset link is shown when no reset options are available

https://gerrit.wikimedia.org/r/372767