Page MenuHomePhabricator

ApiLogin::execute() doesn't handle LoginForm :: RESET_PASS
Closed, ResolvedPublic

Description

If the API is used to attempt to login, but the password used to do so is a temporary reset password, $loginForm->authenticateUserData() will return LoginForm :: RESET_PASS. The API does not handle this and falls through to the default case, returning an error.

I would expect it to return a specific failure code that would indicate the use of a reset password, as suggested by the comments in SpecialUserlogin.php:

At this point we just return an appropriate code indicating
that the UI should show a password reset form; bot inter-
// faces etc will probably just fail cleanly here.

If it does not return a new value, it could return WrongPass, since it is not the right (normal) password.

(Yes, I actually got this one, testing MediaWikiAuth.)


Version: 1.14.x
Severity: trivial

Details

Reference
bz20233

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:48 PM
bzimport added a project: MediaWiki-API.
bzimport set Reference to bz20233.

Bryan.TongMinh wrote:

I think we should just silently reject temporary passwords as wrong passwords, i.e. add LoginForm::RESET_PASS as fall through to LoginForm::WRONG_PASS.

Reedy added a comment.Jan 6 2010, 1:45 PM

Fixed as per Bryan and SpecialUserlogin comment. r60729