Page MenuHomePhabricator

Password Reset: Add Preference for Password Reset Behind Feature Flag
Closed, ResolvedPublic3 Story Points

Description

As a Wikimedia user, I want to be able to enable the password reset update (i.e. username and email address required) in Preferences, so that I can mitigate harassment or mistaken identity via Special:PasswordReset.

Note: We don't know yet know if this preference will be opt-in or opt-out as default. For this reason, this work should be developed in such a way that we can later determine this behavior.

Acceptance Criteria:

  • Create a feature flag
  • Add a preference that controls whether both username and email address are required for password reset
  • Only show this preference if feature flag is enabled

Event Timeline

ifried created this task.Wed, Aug 28, 8:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Aug 28, 8:52 PM
ifried updated the task description. (Show Details)Wed, Aug 28, 8:53 PM
ifried updated the task description. (Show Details)Wed, Aug 28, 8:58 PM
ifried updated the task description. (Show Details)Thu, Aug 29, 4:20 PM
ifried updated the task description. (Show Details)Thu, Aug 29, 4:22 PM
ifried updated the task description. (Show Details)
MusikAnimal updated the task description. (Show Details)Thu, Aug 29, 5:30 PM
aezell added a subscriber: aezell.Thu, Aug 29, 5:30 PM
ifried set the point value for this task to 3.Thu, Aug 29, 5:50 PM
MaxSem claimed this task.Wed, Sep 4, 8:14 PM
MaxSem moved this task from Ready to In Development on the Community-Tech (Kanban (Q1 2019-20)) board.

Change 534552 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/core@master] Add a preference to require email for password resets

https://gerrit.wikimedia.org/r/534552

Change 534552 merged by jenkins-bot:
[mediawiki/core@master] Add a preference to require email for password resets

https://gerrit.wikimedia.org/r/534552

ifried closed this task as Resolved.Tue, Sep 10, 10:53 PM

Since there is nothing to QA, I'm marking this work as Done.

Reedy added a subscriber: Reedy.Wed, Sep 11, 5:26 PM

Is there a task for following the rest of the work for this? Because while the preference is obviously done, the task for the work to actually implement it looks AWOL (or on some workboard I've not looked at ;))

T145952: Reduce password reset spam is kinda an overall task, but want to make sure my comment doesn't get lost (let me know if you want a separate ticket)

I note when someone is implementing this... under T230436 and by Community-Tech
Logging should be put in place so we can see the state of things (ip/user X requested reset for Y etc)... And we should be putting in a rate limiter to prevent one user/ip doing a loooad of requests
Both should be relatively easy to do while working in the area

@Reedy This is just one ticket within a larger project. The overall project itself is definitely not done.

As for the next task, we may tackle this ticket next: T232512: Inform Users of Preference on Special:PasswordReset

This reminds me: I should create a label/tag for this project, so our progress is easy to track in Phabricator. As a Phabricator newbie, I'm not sure how to create the tag, but I'll figure it out today :)

@Reedy Thank you! I have written the request ticket for the project tag: T232667

Once the tag is up, I'll let you know.

ifried added a comment.EditedWed, Sep 11, 11:34 PM

@Reedy The tasks are now tagged as Password-Reset-Update. Thanks!