ApiLogin::execute() doesn't handle LoginForm :: RESET_PASS
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	GreenReaper
	Aug 14 2009, 5:25 AM

Description

If the API is used to attempt to login, but the password used to do so is a temporary reset password, $loginForm->authenticateUserData() will return LoginForm :: RESET_PASS. The API does not handle this and falls through to the default case, returning an error.

I would expect it to return a specific failure code that would indicate the use of a reset password, as suggested by the comments in SpecialUserlogin.php:

At this point we just return an appropriate code indicating
that the UI should show a password reset form; bot inter-
// faces etc will probably just fail cleanly here.

If it does not return a new value, it could return WrongPass, since it is not the right (normal) password.

(Yes, I actually got this one, testing MediaWikiAuth.)

Version: 1.14.x
Severity: trivial

Details

Reference: bz20233

Related Objects

Mentioned In: T67857: Logging in using a temporary password is reported as "incorrect password"

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:48 PM

• bzimport added a project: MediaWiki-Action-API.

• bzimport set Reference to bz20233.

GreenReaper created this task.Aug 14 2009, 5:25 AM

Bryan.TongMinh wrote:

I think we should just silently reject temporary passwords as wrong passwords, i.e. add LoginForm::RESET_PASS as fall through to LoginForm::WRONG_PASS.

Fixed as per Bryan and SpecialUserlogin comment. r60729

Anomie mentioned this in T67857: Logging in using a temporary password is reported as "incorrect password".Feb 23 2015, 3:17 PM

ApiLogin::execute() doesn't handle LoginForm :: RESET_PASSClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

ApiLogin::execute() doesn't handle LoginForm :: RESET_PASS
Closed, ResolvedPublic
Actions