Maybe also give them a more friendly error message on log in.
Version: 1.18.x
Severity: enhancement
Description
Description
Details
Details
- Reference
- bz28328
Event Timeline
Comment Actions
(In reply to comment #1)
In what scenario would this happen?
An extension creates users and doesn't assign them passwords, then log them in with ->setCookies() or something.
Comment Actions
(In reply to comment #2)
(In reply to comment #1)
In what scenario would this happen?
An extension creates users and doesn't assign them passwords, then log them in
with ->setCookies() or something.
I think that that extension should then be responsible for giving the user a way to authenticate.
Comment Actions
(In reply to comment #3)
I think that that extension should then be responsible for giving the user a
way to authenticate.
But if user go to Special:Resetpass or Special:Userlogin they keep saying "incorrect password" even there can't be a "correct password".
Comment Actions
Creating a user without creating a password is the extension's fault. user_password should *not* be empty, unless you're using an AuthPlugin or similar.
Which extension is doing this?
Comment Actions
I'm going to INVALID this, This is a issue with a extenstion compared to with MediaWiki. We don't even allow user accounts to be created without a password, the db is in NOT NULL mode for the password feild ([[User_table#Schema_summary]])
Comment Actions
User::createNew says (in its doc) "- password The user's password. Password logins will be disabled if this is omitted.". So it's accepted that users with password login disabled exist, but this status is not reflected in Special:Resetpass and Special:Userlogin (and maybe Special:Preferences and Special:Specialpages because they give links to Special:Resetpass).
Comment Actions
In this case (no password set on creation, no auth plugin), the user has no way to log in until a password has been set -- so they can't go to Special:ResetPass etc.
The most common example of this case is user accounts created by another logged-in user, with a new password reset code sent via email. Until they log in with the reset code, they don't have a password and can't actually log in directly.
If your extension is customizing authentication in order to log people in via cookies, then it needs to implement the AuthPlugin interface -- it can then tell the system that passwords don't make sense by returning false for its allowPasswordChange method().
There may be a case where you could be logged in with no local password set, but there is some way to reset local passwords, but offhand not sure.