Page MenuHomePhabricator

Password Reset: Add Preference for Password Reset Behind Feature Flag
Closed, ResolvedPublic3 Estimated Story Points


As a Wikimedia user, I want to be able to enable the password reset update (i.e. username and email address required) in Preferences, so that I can mitigate harassment or mistaken identity via Special:PasswordReset.

Note: We don't know yet know if this preference will be opt-in or opt-out as default. For this reason, this work should be developed in such a way that we can later determine this behavior.

Acceptance Criteria:

  • Create a feature flag
  • Add a preference that controls whether both username and email address are required for password reset
  • Only show this preference if feature flag is enabled

Event Timeline

ifried updated the task description. (Show Details)
ifried set the point value for this task to 3.Aug 29 2019, 5:50 PM

Change 534552 had a related patch set uploaded (by MaxSem; owner: MaxSem):
[mediawiki/core@master] Add a preference to require email for password resets

Change 534552 merged by jenkins-bot:
[mediawiki/core@master] Add a preference to require email for password resets

Since there is nothing to QA, I'm marking this work as Done.

Is there a task for following the rest of the work for this? Because while the preference is obviously done, the task for the work to actually implement it looks AWOL (or on some workboard I've not looked at ;))

T145952: Reduce password reset spam is kinda an overall task, but want to make sure my comment doesn't get lost (let me know if you want a separate ticket)

I note when someone is implementing this... under T230436 and by Community-Tech

Logging should be put in place so we can see the state of things (ip/user X requested reset for Y etc)... And we should be putting in a rate limiter to prevent one user/ip doing a loooad of requests

Both should be relatively easy to do while working in the area

@Reedy This is just one ticket within a larger project. The overall project itself is definitely not done.

As for the next task, we may tackle this ticket next: T232512: Inform Users of Preference on Special:PasswordReset

This reminds me: I should create a label/tag for this project, so our progress is easy to track in Phabricator. As a Phabricator newbie, I'm not sure how to create the tag, but I'll figure it out today :)

@Reedy Thank you! I have written the request ticket for the project tag: T232667

Once the tag is up, I'll let you know.

@Reedy The tasks are now tagged as Password-Reset-Update. Thanks!