Page MenuHomePhabricator
Create Task
Maniphest T234537

Password Reset: Update PRU Language in Preferences [x-small]
Closed, ResolvedPublic
Actions

Assigned To
HMonroy
Authored By
ifried
Oct 3 2019, 3:42 PM
Tags
Referenced Files
F31498472: Screen Shot 2020-01-02 at 11.33.40 AM.png
Jan 2 2020, 7:34 PM
F31464164: pru_pref_lang.png
Dec 9 2019, 6:44 PM
F31396046: noemail.png
Nov 29 2019, 6:00 AM
F30595342: Screenshot_2019-09-09_at_9.47.30_PM.png
Oct 8 2019, 9:52 PM
F30584581: image.png
Oct 7 2019, 11:23 PM
F30535750: Screenshot_2019-09-09_at_9.47.30_PM.png
Oct 3 2019, 3:42 PM
Subscribers
Aklapper
dom_walden
ifried
Platonides
Prtksxna
Samwilson

Description

As a PM, I want the language describing PRU in Preferences to be updated, so that it is clear and intuitive to users.

Note: This work has been partially implemented by Max in T231495. The purpose of the ticket is to clean up the language, since the current language doesn't fully describe the feature's behavior.

Acceptance Criteria:

  • Provide a checkbox under "Email options" that states "Send password reset emails only when both email address and username are provided."
  • There should be sub-text (i.e. help text shown inline), which states: "This improves privacy and helps prevent unsolicited emails."
  • This checkbox should allow users to turn on/off PRU

Visual Example (note that the text in the mock-up is slightly outdated):

Screenshot_2019-09-09_at_9.47.30_PM.png (906×1 px, 382 KB)

Details

SubjectRepoBranchLines +/-
Change password reset update language in preferencesmediawiki/coremaster+2 -2
Customize query in gerrit

Related Objects

Event Timeline

ifried created this task.Oct 3 2019, 3:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 3 2019, 3:42 PM
ifried added a project: Password-Reset-Update.Oct 3 2019, 3:42 PM
ifried mentioned this in T231583: Design: Determine UX for Enabling/Disabling Password Reset Update via Preferences.
MaxSem subscribed.Oct 7 2019, 11:23 PM

I'm confused - what's the difference from the current design?

image.png (314×840 px, 56 KB)

ifried added a comment.Oct 7 2019, 11:39 PM

@MaxSem There was never a ticket that specified the exact language and visual elements of this work. The first ticket (which you worked on) provided no requirements around these aspects (and it was meant to just focus on basic functionality). While you developed work that is close to what we want, there are certainly some differences -- for example, your implementation states that this preference requires only email (when, in fact, we're building a preference that requires both email and username). So, this ticket is meant to clean up and finalize the UX/language side of the work.

ifried updated the task description. (Show Details)Oct 8 2019, 3:26 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Oct 8 2019, 9:52 PM
ifried updated the task description. (Show Details)Oct 10 2019, 1:12 AM
ifried updated the task description. (Show Details)Oct 10 2019, 2:53 PM
ifried updated the task description. (Show Details)Oct 10 2019, 3:52 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Oct 10 2019, 4:04 PM
ifried updated the task description. (Show Details)
ifried updated the task description. (Show Details)Oct 10 2019, 4:11 PM
ifried updated the task description. (Show Details)Oct 10 2019, 8:51 PM
Platonides subscribed.Oct 10 2019, 9:48 PM

For one, when reading the UI of T234537#5553996, initially thought that "Require email address" meant requiring being in control of the email address (i.e. that the feature was like requiring that the user validates the change via email in addition of knowing the current password before password changes take action), whereas it actually is meant to require knowing which is the email address linked to the account.

As for the mockup, I would prefer a wording such as "Do not send password reset emails, unless the request provides both the username and the email address associated with that account."

I think that would be more clear, since this is basically a "Do not spam me" feature. However, double negations are usually frowned upon, and "Do not ... unless" may be too similar to that.

Also, the page providing the feature should clearly state the associated risk of confirming a suspicion of the user email address, in case it would be leaked (I think there's no implementation yet, so not sure if there would indeed be such confirmation oracle).

Prtksxna subscribed.Oct 14 2019, 11:16 AM
ifried renamed this task from Password Reset: Update Ability to Turn off/off in Preferences to Password Reset: Update PRU Language in Preferences.Oct 15 2019, 8:29 PM
ifried renamed this task from Password Reset: Update PRU Language in Preferences to Password Reset: Update PRU Language in Preferences [x-small].Oct 15 2019, 11:33 PM
ifried moved this task from Needs Discussion to Up Next (May 6-17) on the Community-Tech board.
ifried added a comment.Oct 16 2019, 12:34 AM

Thanks for the feedback, @Platonides! The text in the mock-up is outdated, and the mock-up is only meant to illustrate the basic placement of the text. The actual text will be much more clear, as there will be both a general statement ("Require both email address and username to reset password") and sub-text, which will be displayed inline ("If checked, the password reset email for this account will be sent only when both the email address and username are provided in the reset form"). The general statement is meant to be brief, so users can quickly read the information and get a basic sense of the functionality. However, if they want to receive additional information, they can certainly refer to the inline text as well.

ifried moved this task from Up Next (May 6-17) to Kanban-Q2-2019-20 on the Community-Tech board.Oct 16 2019, 12:34 AM
ifried edited projects, added Community-Tech (Kanban-Q2-2019-20); removed Community-Tech.
ifried edited projects, added Community-Tech; removed Community-Tech (Kanban-Q2-2019-20).Oct 16 2019, 2:06 PM
ifried moved this task from New & TBD Tickets to Up Next (May 6-17) on the Community-Tech board.
ifried updated the task description. (Show Details)Oct 30 2019, 4:36 PM
ifried updated the task description. (Show Details)Oct 30 2019, 4:39 PM
ifried updated the task description. (Show Details)Oct 30 2019, 4:41 PM
ifried added a comment.Oct 30 2019, 4:46 PM

@Platonides I just wanted to update you and let you know that your comments helped us rethink the language. We have just updated the language, which we hope is much more clear. So, thank you!

ifried moved this task from Up Next (May 6-17) to Kanban-Q2-2019-20 on the Community-Tech board.Oct 30 2019, 4:46 PM
ifried edited projects, added Community-Tech (Kanban-Q2-2019-20); removed Community-Tech.
HMonroy claimed this task.Nov 21 2019, 9:55 PM
HMonroy moved this task from Ready to In Development on the Community-Tech (Kanban-Q2-2019-20) board.
gerritbot added a comment.Nov 27 2019, 5:47 PM

Change 553379 had a related patch set uploaded (by HMonroy; owner: HMonroy):
[mediawiki/core@master] Change password reset update language in preferences

https://gerrit.wikimedia.org/r/553379

gerritbot added a project: Patch-For-Review.Nov 27 2019, 5:47 PM
HMonroy moved this task from In Development to Needs Review/Feedback on the Community-Tech (Kanban-Q2-2019-20) board.Nov 27 2019, 5:47 PM
Samwilson subscribed.Nov 29 2019, 6:00 AM

I'm not sure if it's covered by this ticket, but I've noticed a discrepancy due to the requireemail preference being in the 'Email options' section: if the email is not confirmed, it says that "no email will be sent for any of the following features":

noemail.png (235×720 px, 24 KB)
But this isn't true for requireemail; password reset emails are sent even for unconfirmed email addresses.

gerritbot added a comment.Nov 29 2019, 6:13 AM

Change 553379 merged by jenkins-bot:
[mediawiki/core@master] Change password reset update language in preferences

https://gerrit.wikimedia.org/r/553379

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.10; 2019-12-10).Nov 29 2019, 7:00 AM
Maintenance_bot removed a project: Patch-For-Review.Nov 29 2019, 7:10 AM
MaxSem unsubscribed.Nov 29 2019, 7:34 AM
Prtksxna added a comment.EditedDec 1 2019, 9:04 PM
In T234537#5700964, @Samwilson wrote:

But this isn't true for requireemail; password reset emails are sent even for unconfirmed email addresses.

Oh! Thanks for pointing this out @Samwilson. Did you test this?

I was under the impression that it wont send an email if it isn't confirmed. This is why we tried to get stats on how many people who add their emails actually confirm them.

@ifried, as Sam points out, this might change some designs.

Samwilson added a comment.Dec 2 2019, 12:03 AM

Yep I tested it, password reminders are the only exception for confirmed email addresses. As $wgEmailAuthentication says: "all email functions (except requesting a password reminder email) only work for authenticated (confirmed) email addresses."

ifried added a comment.EditedDec 5 2019, 5:39 PM

@Samwilson, thanks for this catch! I've tested and confirmed that password reset emails can be sent to unconfirmed email addresses. This impacts work in T234952. We originally implemented this behavior for confirmed users, as per T234952. For this reason, I have created a new ticket (T239937) to implement this same behavior for unconfirmed users. We can discuss it in Estimation today, and I'll connect with @Prtksxna on the ticket (after estimation) as well.

ifried added a comment.Dec 5 2019, 5:50 PM

Also, we'll need to rethink the message for unconfirmed users, since the message is not accurate for them (given the new preference, as Sam has pointed out). Thanks!

HMonroy moved this task from Needs Review/Feedback to QA on the Community-Tech (Kanban-Q2-2019-20) board.Dec 9 2019, 6:12 PM
dom_walden moved this task from QA to Product sign-off on the Community-Tech (Kanban-Q2-2019-20) board.Dec 9 2019, 6:44 PM
dom_walden subscribed.

Acceptance Criteria:

  • Provide a checkbox under "Email options" that states "Send password reset emails only when both email address and username are provided."
  • There should be sub-text (i.e. help text shown inline), which states: "This improves privacy and helps prevent unsolicited emails."

PRU in Special:Preferences now looks like:

pru_pref_lang.png (58×649 px, 5 KB)

Wording matched acceptance criteria.

As this is just an update to a translation, there is nothing else I can see to test.

ifried closed this task as Resolved.Jan 2 2020, 7:34 PM
ifried moved this task from Product sign-off to Done on the Community-Tech (Kanban-Q2-2019-20) board.

I've also confirmed that this is available on test wiki (see screenshot below). I'm marking this work as Done.

Screen Shot 2020-01-02 at 11.33.40 AM.png (615×748 px, 92 KB)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL