Page MenuHomePhabricator

ApiLogin::execute() doesn't handle LoginForm :: RESET_PASS
Closed, ResolvedPublic


If the API is used to attempt to login, but the password used to do so is a temporary reset password, $loginForm->authenticateUserData() will return LoginForm :: RESET_PASS. The API does not handle this and falls through to the default case, returning an error.

I would expect it to return a specific failure code that would indicate the use of a reset password, as suggested by the comments in SpecialUserlogin.php:

At this point we just return an appropriate code indicating
that the UI should show a password reset form; bot inter-
// faces etc will probably just fail cleanly here.

If it does not return a new value, it could return WrongPass, since it is not the right (normal) password.

(Yes, I actually got this one, testing MediaWikiAuth.)

Version: 1.14.x
Severity: trivial



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:48 PM
bzimport set Reference to bz20233.

Bryan.TongMinh wrote:

I think we should just silently reject temporary passwords as wrong passwords, i.e. add LoginForm::RESET_PASS as fall through to LoginForm::WRONG_PASS.

Fixed as per Bryan and SpecialUserlogin comment. r60729