Page MenuHomePhabricator

Special:PasswordReset locks out of account: "Incorrect password entered"
Closed, ResolvedPublic

Description

Spotted by Elitre and confirmed by me on translatewiki.net, verified by me on http://en.wikipedia.beta.wmflabs.org with a new account created on purpose:

  1. Register an account with password and email
  2. Confirm email
  3. Log out
  4. Visit Special:PasswordReset and enter username to get password by email
  5. Try to login with the received email

I) Expected: I'm logged in.
II) Observed:

Login error
Incorrect password entered. Please try again.

(With any number of attempts.)

Last time something like this happened to me, on bug 56114, I was told it was some problem with wikitech's encryption package; there's also a similar report by another wiki on bug 52570.


Version: 1.24rc
Severity: critical

Details

Reference
bz69102

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.
bzimport set Reference to bz69102.
Nemo_bis created this task.Aug 4 2014, 1:19 PM

Change 151647 had a related patch set uploaded by Florianschmidtwelzow:
Don't override a new password in loadFromRow()

https://gerrit.wikimedia.org/r/151647

I think I know the cause of this issue, but I cannot get email working on my vagrant instance, so if somebody else could test the patch once I get it up in a few minutes, I'd appreciate it.

@Tyler: I can test, but maybe it's the same approach as my patch? :)

Change 151649 had a related patch set uploaded by Parent5446:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151649

Change 151649 merged by jenkins-bot:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151649

Change 151647 abandoned by Florianschmidtwelzow:
Don't override a new password in loadFromRow()

Reason:
Fixed in I0b881986323051abed7d1af816eae9eafdbd6782

https://gerrit.wikimedia.org/r/151647

Change 151691 had a related patch set uploaded by Florianschmidtwelzow:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151691

To the "?" at the flag (i don't know, if someone look onto it), but this actually breaks the password reset completly and wmf16 is still created from master with this regression. That means: Without backport to wmf16 at August, 12 no non-wikipedia and at August, 14 all wikipedias aren't able to reset their passwords. What i want to say: Backport, backport, backport! :D (and remove the "?") :)

Yeah definitely. I don't have the permissions to set the WMF backport flag, so the best I can do is request it and wait for somebody to approve.

Right, ok, just to clarify, that we havethe same opinion :)

Change 151691 merged by jenkins-bot:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151691

[Backport was merged into 1.24wmf16 upon a time, hence setting Backport_WMF flag to +]