As a password reset user, I want the same message to appear after submitting data on Special:PasswordReset, so that information particular to my account does not get revealed to bad actors.
**Acceptance Criteria:**
* Display the same message to all users**Background:** Normally, regardless of whether they have hit their Manual:$wgRateLimits
** Redirect all users to the password informational page
** Update the second paragraph as follows:
*** If the information submitted is validif a user has hit their [[ https://www.mediawiki.org/wiki/Manual:$wgRateLimits | 'mailpassword' ]] limit, a pwhen they submit the Special:Password rReset email will be sentform they are shown the "Action throttled" message. If you haven't received an emailHowever, we recommend that you visit the [[ https://www.mediawiki.org/wiki/Help:Reset_password | reset password help page ]] or try again later.if the user also has their Enhanced Password Reset preference enabled and submit only their username, You can only **request a limited number ofthey are instead shown the normal password resets within a short period of time** message (as implemented in T238961). **Only one password reset email will be sent per valid account every 24 hours** in order to prevent abuse.
**** Be sure to follow where text has bold style or link to Mediawiki pageThis reveals that they have the Enhanced Password Reset preference enabled, as shown above.
==== What is the problem?
Nwhich is arguably a disclosure of private informally,tion. if a user has hit their [[ https://www.mediawiki.org/wiki/Manual:$wgRateLimits | 'mailpassword' ]] limitFor example, for user Steve (EPR enabled) and Adam (EPR disabled), when they submit the Special:PasswordReset form they are shown the "Action throttled" message.ting different parameters in Special:PasswordReset:
However, if the user also has their Enhanced Password Reset preference enabled and submit only their username, they are instead shown the normal password reset message (as implemented in T238961).
This reveals that they have the Enhanced Password Reset preference enabled, which is arguably a disclosure of private information.
For example, for user Steve (EPR enabled) and Adam (EPR disabled), submitting different parameters in Special:PasswordReset:
| **Username** | **Email** | **Outcome** |
| Steve | | Normal password reset message |
| Steve | steve@local.wmftest.net | "Action throttled" |
| Adam | | "Action throttled" |
| Adam | adam@local.wmftest.net | "Action throttled" |
==== **Steps to reproduce problem:**
If "Eve" has EPR enabled:
1. Keep submitting Special:PasswordReset until I hit the `$wgRateLimit` for my user/IP (for most/all wikis, this is 5 attempts by the same IP within 1 hour)
2. Submit Special:PasswordReset with Username=Eve and a blank Email
**Expected behavior:** "Action throttled"
**Observed behavior:** Normal password reset message.Observed behavior: Normal password reset message.
Environment -- Wiki(s): MediaWiki 1.35.0-alpha (9b125a0)
**Acceptance Criteria:**
* Display the same message to all users, regardless of whether they have hit their Manual:$wgRateLimits
** Redirect all users to the password informational page
** Update the second paragraph (see screenshot example below for which paragraph I'm referring to) as follows:
*** If the information submitted is valid, a password reset email will be sent. If you haven't received an email, we recommend that you visit the [[ https://www.mediawiki.org/wiki/Help:Reset_password | reset password help page ]] or try again later. You can only **request a limited number of password resets within a short period of time**. **Only one password reset email will be sent per valid account every 24 hours** in order to prevent abuse.
**** Be sure to follow specifications (as seen above) for bold text
*** Maintain the link to the Mediawiki help page on password resets (this is already in the current paragraph and it should not be changed in the new one).
**Visual Example (see red outline for paragraph text we should update):**
==== Environment{F31757796}
**Wiki(s):** MediaWiki 1.35.0-alpha (9b125a0)