For accounts created by other user by email the email used should be confirmed from the start (since first login), it is obvious that it is legit unless we expect someone to guess the random initial password sure.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
Hi @Base, could you please edit the task description and provide separate sections for:
- Steps to reproduce the initial situation
- Expected outcome
- Current actual outcome
? This should make it easier to understand for others what is requested in this task. Also see How to report a bug for more information.
Is this about $wgEmailAuthentication being set to true, for account registration? Or is this (also) about $wgEmailConfirmToEdit, for editing?
How do you create "accounts by other user by email"? (As https://www.mediawiki.org/wiki/Manual:Account_creation does not list such an option?)
Comment Actions
1)Yesterday on Meta-Wiki Guillaume (WMF) created me an account Base (WMF)[1]
- When I logged in into the account using the temporary password sent, changed the password and opened preferences, I noticed that I cannot change email related preferences since the email address is still not confirmed.
Expected state of affairs:
- After logging in with temporary password sent and changing password and then opening preferences the email is already confirmed — it was used to register the account and I used temporary password sent there after all.
It was OK on collabwiki though, so I guess there indeed could be reproduction troubles, I am sorry I just filed this fast while doing something else.
Comment Actions
@gpaumier, I guess it was Special:Login/signup and set the username, set the email and check " Use a temporary random password and send it to the specified email address", right?
Comment Actions
(Just in case, there was no problems with the confirmation, aside from being an unnecessary step)
Comment Actions
I think this should be fixable in the TemporaryPasswordPrimaryAuthenticationProvider, by calling confirmEmail() on the user in question, after successful login in this situation. I'm not sure however if there might be security implications...
Comment Actions
I run a private wiki, and this is quite a pain point.
All users are created manually via sending their password via email, but none of them have confirmed email addresses, even though they clicked a link sent to them by the wiki.
Steps to reproduce the initial situation
- On a private wiki, create a user and choose to email them their password
- Click the confirmation link
- Change the password
Expected outcome
User is created with a confirmed email address
Current actual outcome
User is created with no email address registered, even though their email address was provided to the wiki and they clicked a link sent to them by the wiki to change their password.