Page MenuHomePhabricator
Create Task
Maniphest T157517

If user is granted "admin" rights their pwd length requirement rises to 8 characters - show pwd change interface with appropriate message (now showing temp pwd message)
Closed, DeclinedPublic
Actions

Description

Background:

Non admin's min pwd character limit is 1.

Admin's min pwd character limit is 8.

Problem:
The app is showing the change pwd interface in the case a user newly granted admin tries to log in, but the error message box says:

"You logged in with a temp pwd...".

However, the error message back from the server is...

"Your password is not valid: Passwords must be at least 8 characters. Please choose a new password now, or click 'Skip' to reset it later."

...which isn't perfect as it refers to a "Skip" button which doesn't exist.

Repro:

I created a personal acct on https://en.wikipedia.beta.wmflabs.org then used the following steps to grant that account "bureaucrat" (which means *it* can grant other accts "admin" rights).

  • I ssh'ed into "deployment-tin.deployment-prep.eqiad.wmflabs"
  • I ran "mwscript createAndPromote.php --wiki=enwiki --bureaucrat --force MYACCOUNTUSERNAME"

Then while logged in to my personal account on beta labs I was able to use my personal acct to grant a testing account administrator rights via:
https://en.wikipedia.beta.wmflabs.org/wiki/Special:UserRights/Acct_creation_test_001 ("Acct_creation_test_001" was the testing account)

Related:
https://www.mediawiki.org/wiki/API:Login#clientlogin
https://www.mediawiki.org/wiki/Manual:CreateAndPromote.php

Related Objects
Search...

Event Timeline

Mhurd created this task.Feb 8 2017, 1:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 8 2017, 1:06 AM
Mhurd updated the task description. (Show Details)Feb 8 2017, 1:07 AM
Mhurd updated the task description. (Show Details)
Mhurd updated the task description. (Show Details)Feb 8 2017, 1:10 AM
Mhurd updated the task description. (Show Details)Feb 8 2017, 1:26 AM
Mhurd added a comment.EditedFeb 8 2017, 1:32 AM

Reminder - the api doesn't seem to give us any sort of error key or type which would specifically let us know that this password change prompt is character length related (beside the error message string itself - and we can't use that message because it's referencing an interface element which doesn't exist on the app - the "Skip" button.) So may need to actually check that message and have WMFAccountLogin return a different error type if it sees "8 characters"... right now it returns ".temporaryPasswordNeedsChange" but we'll probably want something like "".passwordLengthNeedsIncreaseTo8CharactersMinimum".

Mhurd added a subscriber: JMinor.Feb 8 2017, 2:07 AM
Mhurd updated the task description. (Show Details)Feb 8 2017, 2:10 AM
Mhurd updated the task description. (Show Details)
JMinor triaged this task as Lowest priority.Feb 13 2017, 7:49 PM
JMinor moved this task from Needs Triage to Engineering Backlog on the Wikipedia-iOS-App-Backlog board.
JMinor moved this task from Engineering Backlog to Product Backlog on the Wikipedia-iOS-App-Backlog board.
Mhurd added a parent task: T158609: Return code with "FAIL" and "UI" responses from "clientlogin" and "createaccount" so they can be easily distinguished programmatically..Feb 21 2017, 12:35 AM
JMinor raised the priority of this task from Lowest to Low.May 24 2017, 9:46 PM
Tgr mentioned this in T208246: Change password length requirement and ensure enforcement for privileged users (from 8 to 10).Dec 10 2018, 11:26 AM
TBolliger mentioned this in T211621: The 'your password is weak' message should display on log in for privileged accounts only.Dec 10 2018, 7:45 PM
LGoto moved this task from Product Backlog to Bug Backlog on the Wikipedia-iOS-App-Backlog board.Mar 26 2019, 9:25 PM
LGoto closed this task as Declined.Jul 27 2021, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL