Notify user by email when password changed
OpenPublic

Description

It would be a nice idea to notify users by email (when they have a address setup) that their account password has been changed.


Version: unspecified
Severity: enhancement
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=44486
https://bugzilla.wikimedia.org/show_bug.cgi?id=9838

bzimport set Reference to bz26227.
Peachey88 created this task.Via LegacyDec 4 2010, 2:22 AM
demon added a comment.Via ConduitDec 5 2010, 4:33 AM

*sigh*

I hate adding user prefs, but I'd want to disable this...

Platonides added a comment.Via ConduitMar 20 2011, 12:12 AM

Why?

demon added a comment.Via ConduitMar 20 2011, 5:16 AM

Why should we add such a feature, or why would I want to disable it?

DanielFriesen added a comment.Via ConduitMar 20 2011, 5:27 AM

Currently we have an account swiping problem. If someone gains access to a session, they can escalate that to exclusive full account control by changing the e-mail and using password reset. This process has no notifications (which should be in place) to warn the user that their account has been swiped.

Bawolff added a comment.Via ConduitMar 20 2011, 5:42 AM

I'd argue requiring a password to change the email would be a much more effective means to prevent that attack though.

IAlex added a comment.Via ConduitMar 20 2011, 6:35 AM

That's bug 20185.

Platonides added a comment.Via ConduitMar 20 2011, 3:34 PM

(In reply to comment #3)
Why would you want to disable that?

demon added a comment.Via ConduitMar 20 2011, 4:21 PM

(In reply to comment #7)

(In reply to comment #3)
Why would you want to disable that?

Because I don't like getting extra e-mails? Especially when it's about an action I initiated myself.

Platonides added a comment.Via ConduitMar 20 2011, 8:40 PM

Because I don't like getting extra e-mails? Especially when it's about an
action I initiated myself.

I think you /would/ want that in case it wasn't you who initiated it. How often do you change your password? I don't think most people have ever changed their password. Much less doing so often enough to be annoying.

bzimport added a comment.Via ConduitFeb 12 2012, 3:20 PM

ashishmittal.mail wrote:

Hello,

I would like to solve this bug. I believe solving this would require editing of execute() in Special:ChangePassword file to add a sendmail() function along with creation of some messages (in MessagesEN.php) which would form the body of the mail as parameters to sendmail(). This process would be somewhat similar to what has been implemented in PasswordReset. Kindly guide if this is the correct approach and I should go ahead with it.

Thanks,
Aashish

Platonides added a comment.Via ConduitFeb 20 2012, 11:18 PM

You would user UserMail, but otherwise yes, that seems the right process.

Aklapper added a comment.Via ConduitJul 24 2013, 10:50 AM

Patch in Gerrit needs review...

Parent5446 added a comment.Via ConduitJul 24 2013, 8:26 PM

Maybe I should remove the tag, because I need to refactor that patch before it can be merged anyway.

gerritbot added a comment.Via ConduitAug 22 2013, 6:18 PM

Change 48578 abandoned by Parent5446:
Notify user by email when password changed

https://gerrit.wikimedia.org/r/48578

Nemo_bis added a project: MediaWiki-Email.Via WebJan 4 2015, 6:56 PM
Nemo_bis set Security to None.
demon removed a subscriber: demon.Via WebJan 5 2015, 3:38 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.