Invalid "Change Password" (returnto) page shown after successful temporary password login & password change
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	Wikinaut
	Nov 20 2013, 9:20 AM

Description

1.23wmf3 (e2e9b85)

Scenario:

+ en.wikipedia.org as of 2013-11-20
+ go to "Reset Password" page and trigger the I-forgot-my-passwort e-mail-password mail
+ come back to the login page
+ enter the temporary password
+ you are now correctly asked to change your password (=mandatory password change after login with temporary password)
+ after a successful password change you will see

Bug:

page title after successful password change is (still):

"Change Password"

URL is:

"https://en.wikipedia.org/w/index.php?title=Special:ChangePassword&returnto=&returntoquery=&fromhttp=1"

with unsuited information on it:

"You must be logged in to access this page directly."

This is striclty reproducible.

Version: 1.23.0
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=57098
https://bugzilla.wikimedia.org/show_bug.cgi?id=57065

Details

Reference: bz57289

Event Timeline

• bzimport raised the priority of this task from to High.Nov 22 2014, 2:26 AM

• bzimport added a project: MediaWiki-User-login-and-signup.

• bzimport set Reference to bz57289.

• bzimport added a subscriber: Unknown Object (MLST).

Wikinaut created this task.Nov 20 2013, 9:20 AM

perhaps the fix of https://bugzilla.wikimedia.org/show_bug.cgi?id=57065 solves this.

(In reply to comment #1)

perhaps the fix of https://bugzilla.wikimedia.org/show_bug.cgi?id=57065
solves
this.

^wrong

I meant:

See
https://bugzilla.wikimedia.org/show_bug.cgi?id=57098 SpecialPasswordReset when called does not obey an optional returnto parameter

Perhaps the fix of 57098 also solves the present 57289.

Thanks for taking the time to report this!

Confirming:

logged out
went to https://en.wikipedia.org/wiki/Special:PasswordReset
enter username
Get "A password reset email has been sent."
Check mail
Copy temp password
In browser, click "Log in" in upper corner which now links to https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Special%3APasswordReset
Enter username and temp password
Get "Change password - You logged in with a temporary emailed code. To finish logging in, you must set a new password here:"

Result:

"Change password - You must be logged in to access this page directly."

Needed to log in once again. Meh.

Needed to log in once again. Meh.

just to say it very kindly again in case it has been overlooked:

__perhaps_(!)_ the fix of https://bugzilla.wikimedia.org/show_bug.cgi?id=57098 solves this, too.

Is this still happening? I'm not able to reproduce it. Just to confirm,

I enter my username and temp password, click login
I get the change password form. I'm not logged in. Old password is pre-filled.
I enter in a new password (twice), and click submit.
I'm taken back to Main_Page, and I'm logged in.

Am I missing a step?

(In reply to comment #5)

Is this still happening? I'm not able to reproduce it. Just to confirm,

I enter my username and temp password, click login

I get the change password form. I'm not logged in. Old password is

pre-filled.

I enter in a new password (twice), and click submit.

I'm taken back to Main_Page, and I'm logged in.

Am I missing a step?

Yes, certainly.
I still can reproduce my findings as in the first comment, and as confirmed by André in https://bugzilla.wikimedia.org/show_bug.cgi?id=57289#c3

Please reproduce step-by-step:

Scenario:

+ en.wikipedia.org as of 2013-11-22
+ go to "Reset Password" page and trigger the I-forgot-my-passwort
e-mail-password mail
+ come back to the login page
+ enter the temporary password
+ you are now correctly asked to change your password (=mandatory password
change after login with temporary password)
+ after a successful password change you will see

"Change Password" (=page title)
"You must be logged in to access this page directly."

URL is:
"https://en.wikipedia.org/w/index.php?title=Special:ChangePassword&returnto=&returntoquery=&fromhttp=1"

This is *strictly* reproducible. Raising severity to "major" because it relates to a password issue, which could point to critical bug.

screenshot of the page after successfully having entered the temp.password and 2x the new password:

+ http://i.imgur.com/IDNp8W4.png

Change 96970 had a related patch set uploaded by IAlex:
Fix login with temporary password with $wgSecureLogin = true

https://gerrit.wikimedia.org/r/96970

For the record, the cause of this bug is from Ia0a61e98fbff7 ( https://gerrit.wikimedia.org/r/93425), which introduced WebRequest::getProtocol as an instance method rather than the previous practice of always using WebRequest::detectProtocol, which is static.

Change 96994 had a related patch set uploaded by MarkAHershberger:
Fix login with temporary password with $wgSecureLogin = true

https://gerrit.wikimedia.org/r/96994

Change 96970 merged by MarkAHershberger:
Fix login with temporary password with $wgSecureLogin = true

https://gerrit.wikimedia.org/r/96970

Change 96994 merged by MarkAHershberger:
Fix login with temporary password with $wgSecureLogin = true

https://gerrit.wikimedia.org/r/96994

In www.mediawiki,org : Not solved

After changing the password, see http://i.imgur.com/7ADHPHH.png

URL:

https://www.mediawiki.org/w/index.php?title=Special:ChangePassword&returnto=&returntoquery=&fromhttp=1

Problem is not solved, in my view.

That's because the fix has not been deployed yet. However, the actual bug in question has been resolved in master.

Tyler: okay. I understand this from a discussion in the chat some minutes ago. ty

Invalid "Change Password" (returnto) page shown after successful temporary password login & password changeClosed, ResolvedPublicActions

Description

Bug:

Details

Event Timeline

Invalid "Change Password" (returnto) page shown after successful temporary password login & password change
Closed, ResolvedPublic
Actions