Page MenuHomePhabricator
Create Task
Maniphest T71102

Special:PasswordReset locks out of account: "Incorrect password entered"
Closed, ResolvedPublic
Actions

Description

Spotted by Elitre and confirmed by me on translatewiki.net, verified by me on http://en.wikipedia.beta.wmflabs.org with a new account created on purpose:

  1. Register an account with password and email
  2. Confirm email
  3. Log out
  4. Visit Special:PasswordReset and enter username to get password by email
  5. Try to login with the received email

I) Expected: I'm logged in.
II) Observed:

Login error
Incorrect password entered. Please try again.

(With any number of attempts.)

Last time something like this happened to me, on bug 56114, I was told it was some problem with wikitech's encryption package; there's also a similar report by another wiki on bug 52570.

Version: 1.24rc
Severity: critical

Details

Reference
bz69102

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 3:34 AM
bzimport added projects: MediaWiki-User-login-and-signup, good first task.
bzimport set Reference to bz69102.
Nemo_bis created this task.Aug 4 2014, 1:19 PM
gerritbot added a comment.Aug 4 2014, 2:58 PM

Change 151647 had a related patch set uploaded by Florianschmidtwelzow:
Don't override a new password in loadFromRow()

https://gerrit.wikimedia.org/r/151647

Parent5446 added a comment.Aug 4 2014, 3:05 PM

I think I know the cause of this issue, but I cannot get email working on my vagrant instance, so if somebody else could test the patch once I get it up in a few minutes, I'd appreciate it.

Florian added a comment.Aug 4 2014, 3:06 PM

@Tyler: I can test, but maybe it's the same approach as my patch? :)

gerritbot added a comment.Aug 4 2014, 3:11 PM

Change 151649 had a related patch set uploaded by Parent5446:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151649

gerritbot added a comment.Aug 4 2014, 6:26 PM

Change 151649 merged by jenkins-bot:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151649

gerritbot added a comment.Aug 4 2014, 6:37 PM

Change 151647 abandoned by Florianschmidtwelzow:
Don't override a new password in loadFromRow()

Reason:
Fixed in I0b881986323051abed7d1af816eae9eafdbd6782

https://gerrit.wikimedia.org/r/151647

gerritbot added a comment.Aug 4 2014, 6:39 PM

Change 151691 had a related patch set uploaded by Florianschmidtwelzow:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151691

Florian added a comment.Aug 4 2014, 6:46 PM

To the "?" at the flag (i don't know, if someone look onto it), but this actually breaks the password reset completly and wmf16 is still created from master with this regression. That means: Without backport to wmf16 at August, 12 no non-wikipedia and at August, 14 all wikipedias aren't able to reset their passwords. What i want to say: Backport, backport, backport! :D (and remove the "?") :)

Parent5446 added a comment.Aug 4 2014, 6:47 PM

Yeah definitely. I don't have the permissions to set the WMF backport flag, so the best I can do is request it and wait for somebody to approve.

Florian added a comment.Aug 4 2014, 6:49 PM

Right, ok, just to clarify, that we havethe same opinion :)

gerritbot added a comment.Aug 4 2014, 7:01 PM

Change 151691 merged by jenkins-bot:
Add loadPasswords() calls to User password mutators

https://gerrit.wikimedia.org/r/151691

Aklapper added a comment.Oct 7 2014, 9:33 PM

[Backport was merged into 1.24wmf16 upon a time, hence setting Backport_WMF flag to +]

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL