Page MenuHomePhabricator

Setting $wgPasswordResetRoutes to false still allows to go to Special:Preferences or Special:ChangePassword and reset the password
Closed, ResolvedPublic

Description

Here is what the Manual:$wgPasswordResetRoutes page states about $wgPasswordResetRoutes variable:

Setting all of these to false (or the whole variable to false) has the effect of disabling password resets entirely.

This is not quite true. While it removes the link from the login form, it is still possible to go to Special:Preferences page (or directly to Special:ChangePassword) and reset the password from there.

Either the wording needs to be changed in the manual (and in includes/DefaultSettings.php) or this feature is incomplete.

Tested in 1.24.1.

Event Timeline

Aklapper changed the task status from Open to Stalled.Jul 23 2017, 11:15 AM
Aklapper added a project: Documentation.

Thanks for reporting this!

Tested in 1.24.1.

Does this still happen in a supported MediaWiki version?

I have now created a test set-up with 1.29 and can confirm that the behaviour is the same as in 1.24.1.

The screenshots show the UI after adding $wgPasswordResetRoutes=false; into LocalSettings.php.

Aklapper renamed this task from $wgPasswordResetRoutes does not quite work as advertised to Setting $wgPasswordResetRoutes to false still allows to go to Special:Preferences or Special:ChangePassword and reset the password.Jul 24 2017, 8:12 AM
Aklapper changed the task status from Stalled to Open.

Also the highlighted part of this statement:

Setting all of these to false (or the whole variable to false) has the effect of disabling password resets entirely.

suggests that setting the value to true would enable the password resets. This is however not the case because the logic is currently written in such a way that setting the value to anything that is not an array will have the same effect. As a result both statements:

$wgPasswordResetRoutes = false;

$wgPasswordResetRoutes = true;

disable password reset functionality.

The premise of this task is invalid, but documentation can be improved. Already updated some parts here and here

Here is what the Manual:$wgPasswordResetRoutes page states about $wgPasswordResetRoutes variable:

Setting all of these to false (or the whole variable to false) has the effect of disabling password resets entirely.

This is not quite true.

No, it's true. Resetting password is done via Special:PasswordReset. If you set $wgPasswordResetRoutes = false, you'll see error if you visit that page and you cannot 'reset' the password.

While it removes the link from the login form, it is still possible to go to Special:Preferences page (or directly to Special:ChangePassword) and reset the password from there.

You don't reset password in Special:ChangePassword, but you "change" it. The page name clearly says so. Login is required to access Special:ChangePassword and you'll be able to change the password on the spot. Special:Preferences does not link to Password 'reset' page.

$wgPasswordResetRoutes (As its name and documentation clearly states) disallows passwords 'reset' or specify (one of two possible 'routes' for resetting password) it does not disallow password 'change'.

I know it's a bit strange to claim 'password reset' and 'password change' are not the same, but that's currently how MediaWiki uses the terms and so must be used as such.

Ammarpad claimed this task.

The documentation has been expanded a bit (although it's already correct).