What is the problem?
When I submit the same password reset request multiple times in a short period, I can receive more than one password reset email.
I have reproduced this by submitting email and username, just email or just username, and with users who have PRU enabled and disabled.
So far, I have only seen two password reset emails being sent at a time. The second email has the working temporary password (I assume the first temporary password has been overwritten).
Steps to reproduce problem
Probably easiest to do this with some sort of script.
For example, for <username> who has not had a password reset in the last 24 hours (and from an IP that isn't throttled):
for x in {1..5}; do curl -s 'https://<wiki>/wiki/Special:PasswordReset' --data 'wpUsername=<username>&wpEmail=<email>&wpEditToken=%2B%5C' > /dev/null; done
(N.B. I have reproduced this with as little as 3 iterations, but no less)
Expected behavior: <username> receives one password reset email
Observed behavior: <username> (sometimes) receives two password reset emails
Environment
Wiki(s): Reproduced on:
- https://www.mediawiki.org MediaWiki 1.35.0-wmf.30 (rMWcbce38f71d1d) 23:43, 28 April 2020
- My local vagrant MediaWiki 1.35.0-alpha (79f2c9c)