Page MenuHomePhabricator
Create Task
Maniphest T42050

Allow password reset requests to be handled centrally for unified users
Open, MediumPublic
Actions

Description

Author: akshay.leadindia

Description:
For unified users, password reset requests dont work on wikis where the user has not visited before. This is because a local account for that user has not been created in that wiki. So, after trying to reset password on that wiki, we get an error "The username '$username' is not registered on this wiki, but it does exist in the unified login system". Even if I wanted to create a new account on this current wiki, I wont be allowed to do so citing that my desired username is very similar to/ same as the existing one. As a user, now I need to remember which wiki I had created that account on or any other wiki which I have visited before (as a logged in user) and then try to reset the password there.

As Dantman suggested we cannot allow creating local accounts on wikis where the user has not visited before because you could abuse that to force MW to create local users on wikis that a user will never go. It could be used both as a form of user harassment and as a way to spam the RC even when blocked.

A better approach would be to improve CentralAuth to allow resetting all passwords centrally for unified users.

Should this approach be approved & if it requires significant efforts, I would be interested on making these changes after I am done with SignupAPI

Version: unspecified
Severity: normal

Details

Reference
bz40050

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:08 AM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz40050.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Sep 6 2012, 11:24 AM
werdna unsubscribed.Dec 10 2014, 5:38 PM
Nemo_bis added a project: MediaWiki-Core-AuthManager.Jul 18 2015, 7:24 PM
Nemo_bis subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2015, 7:24 PM
Tgr merged a task: T89459: Modernize MediaWiki authentication system (AuthManager).Aug 27 2015, 7:07 AM
Tgr added a subtask: T89459: Modernize MediaWiki authentication system (AuthManager).
Tgr added subscribers: Krenair, Tgr, Ricordisamoa and 5 others.
Tgr added a comment.Aug 27 2015, 7:12 AM

Not sure if this is still the case, but if it is, AuthManager will make it easy to handle this cleanly: all auth providers will be able handle, ignore or prevent a password change, and the local-password provider will simply ignore (but not prevent) when the local account does not exist. IIRC password resets will be implemented as a special kind of data change and the same principle will apply.

Anomie added a comment.Jun 16 2016, 4:11 PM

AuthManager doesn't really fix this, since TemporaryPasswordPrimaryAuthenticationProvider needs a local user so it can store the temporary password. We'd have to replace that with something CentralAuth-y (along with other changes) to make it be able to work, or change core to move the user_newpassword field out of the user table and into a table indexed by not-necessarily-existing usernames instead.

OTOH, for WMF wikis we have Meta in $wgCentralAuthAutoCreateWikis so https://meta.wikimedia.org/wiki/Special:PasswordReset should generally be usable.

Also, I note that the default error message for this situation has linked to [[Special:CentralAuth/username]] since August 2013 when T39219 was fixed (although it's currently broken, see https://gerrit.wikimedia.org/r/294732 for the fix), so it's just a matter of clicking the link to find a wiki where it will work.

Tgr edited subtasks, added: T151012: CentralAuth should have its own temporary password handling; removed: T89459: Modernize MediaWiki authentication system (AuthManager).Nov 22 2016, 4:06 AM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:02 PM
RhinosF1 subscribed.Oct 22 2020, 7:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL