Page MenuHomePhabricator

$wgMinimalPasswordLength setting does not allow account creation by e-mail
Closed, ResolvedPublic

Description

Author: ammatsun

Description:
When setting $wgMinimalPasswordLength to some non-zero value and allowing an special category of users to create account for others "by e-mail", it is not possible to create new accounts as "Login error:Your password is invalid or too short. It must have at least X characters and be different from your username." is displayed.

The special user can type some password just to pass the validation, but it would be better if either the password is not validated when account is being created "by e-mail" or the random password is generated and set before the validation.

For the first case, the fix can be the aaddition of the following if in function addNewAccountInternal, on line 263 of includes/SpecialUserlogin.php file:

if ( $this->mPosted && !$this->mCreateaccountMail ) {
        if ( !$u->isValidPassword( $this->mPassword ) ) {
                $this->mainLoginForm( wfMsg( 'passwordtooshort', $wgMinimalPasswordLength ) );
                        return false;
        }
}

Version: 1.11.x
Severity: blocker

Details

Reference
bz12988

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:04 PM
bzimport set Reference to bz12988.
bzimport added a subscriber: Unknown Object (MLST).

Fixed in r31277.

A temporary value of '-' was used for the password during creation; this was immediately overwritten with a non-usable null password when the email reset was sent, but would still throw a fatal exception due to the minimal password length check.

Replacing this '-' value with null, a special password value reserved for setting non-valid logins, allows the account to be set up correctly without conflicting with the length minimum.

*** Bug 15009 has been marked as a duplicate of this bug. ***