Page MenuHomePhabricator
Create Task
Maniphest T400524

Provide a web interface for privileged users to change email address for other users
Open, Needs TriagePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):

Create a restricted-use web interface to allow authorised users to reset account email addresses, with proper logging and support for all valid usernames.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

In T399978, an attempt to reset a user's email via the resetUserEmail.php maintenance script failed when the username contained a dollar sign ($). This turned out to be an issue caused by the use of double-quotes in the command line. The underlying problem is that relying on CLI tools for sensitive account actions is error-prone, particularly for usernames with special characters, and requires shell access. There is currently no web-based tool available to perform this action safely and with an audit trail.

Benefits (why should this be implemented?):

  • Avoids shell quoting issues and other CLI-related errors
  • Enables safer workflows for stewards or system administrators without shell access
  • Adds accountability through proper logging
  • Provides a more user-friendly, secure way to handle sensitive account changes

See also: T195207: Special page to disable OATH for other users - similar functionality implemented for ease of user adminstration

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Introduce special page for resetting an users emailmediawiki/coremaster+200 -1
Customize query in gerrit

Related Objects

Event Timeline

jrbs created this task.Jul 26 2025, 12:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 26 2025, 12:16 AM
JJMC89 removed a project: Wikimedia-Site-requests.Jul 26 2025, 12:26 AM
Pppery subscribed.Jul 26 2025, 12:48 AM
Bugreporter added a project: MediaWiki-Email.Jul 26 2025, 2:09 AM
Zabe subscribed.Jul 26 2025, 8:22 AM
Reedy renamed this task from Provide a web interface for user email resets to Provide a web interface too allow privileged users to change email address for other users.Jul 27 2025, 5:33 PM
Reedy renamed this task from Provide a web interface too allow privileged users to change email address for other users to Provide a web interface for privileged users to change email address for other users.
Reedy updated the task description. (Show Details)
EMill-WMF subscribed.Jul 29 2025, 3:50 AM
Nahid subscribed.Jul 29 2025, 7:58 AM
gerritbot added a comment.Jul 29 2025, 4:13 PM

Change #1173971 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Introduce special page for resetting an users email

https://gerrit.wikimedia.org/r/1173971

gerritbot added a project: Patch-For-Review.Jul 29 2025, 4:13 PM
Pppery added a comment.Jul 29 2025, 4:59 PM

It's worth pointing out that stewards currently don't have the right to do this, and due to the way CentralAuth's GlobalGroupPermissions allows them to grant global groups all possible rights, this will necessarily entail, at least in theory, giving them the ability to do this unless you go out of your way to prevent it.

You may well be fine with that, but that seems like a significant step up from what they can currently do (since only sysadmins can do this right now) and I didn't want it to pass unnoticed.

Zabe added a comment.Jul 29 2025, 5:09 PM

I do not really think that is completely new. There are already very funny permissions like oathauth-api-all which would allow them to do weird stuff.

I think the most important thing here is the logging so that no one could secretly abuse this.

Pppery added a comment.Jul 29 2025, 5:13 PM

oathauth-api-all allows you to:

  • Check if another user has 2FA enabled without logging that check.
  • Validate 2FA codes for other users.

That seems much less dangerous than this to me.

Johannnes89 subscribed.Jul 31 2025, 6:59 AM
Tgr subscribed.Aug 9 2025, 6:31 PM

A shortcoming of MediaWiki is that there is no separate admin interface that could be access-controlled more harshly, so anything that's implemented as a special page will be subject to the usual XSS etc. concerns.

I wonder if it made sense to put this functionality in officewiki. It could fetch usernames from meta via the web API and e.g. trigger a shell script to do the change.

Alien333 subscribed.Aug 9 2025, 7:25 PM
Ladsgroup added a comment.Aug 10 2025, 8:41 AM
In T400524#11072063, @Tgr wrote:

A shortcoming of MediaWiki is that there is no separate admin interface that could be access-controlled more harshly, so anything that's implemented as a special page will be subject to the usual XSS etc. concerns.

There are some stuff already, like disabling loading of user js (and common js?) that currently exists in Special:Preferences and login. We could also force a password re-entry too.

gerritbot added a comment.Sep 22 2025, 6:41 PM

Change #1173971 abandoned by Zabe:

[mediawiki/core@master] Introduce special page for resetting an users email

Reason:

(not working on this)

https://gerrit.wikimedia.org/r/1173971

Maintenance_bot removed a project: Patch-For-Review.Sep 22 2025, 7:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits