[Bug 29135] Special:PasswordReset: for logged-in users (password, OpenID, Auth): do not show input field for name, but fill-in current (own) name, and make this field readonly, disallow other names
https://bugzilla.wikimedia.org/show_bug.cgi?id=29135 Krinkle krinklem...@gmail.com changed: What|Removed |Added CC||krinklem...@gmail.com Severity|major |enhancement -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 29135] Special:PasswordReset: for logged-in users (password, OpenID, Auth): do not show input field for name, but fill-in current (own) name, and make this field readonly, disallow other names
https://bugzilla.wikimedia.org/show_bug.cgi?id=29135 --- Comment #6 from T. Gries m...@tgries.de 2011-05-30 07:32:38 UTC --- Hello, because I do not feel yet competent enough to change the code in such a sensitive area like login and password issues: can someone of you (experts) please look into the following change request, and apply a fix for it ? The following is an aggregated summary. * Problem to be solved: User A can trigger a password-mail to other user B by accessing (simply by accessing Special:PasswordReset and inputting username B into the field) When logged-in users visit Special:PasswordReset, they see an _emtpy_ input field for entering a username. The _empty_ field does not make sense, because: Logged-in users should - except in special cases like members of a new group - $wgGroupPermissions[sysop][isallowed-to-reset-other-user-password] = true; not be allowed to trigger reset password of a different user. * Change requests (A), (B) in Special:PasswordReset * (A) - if user, then PaswortReset should - disallow typing of arbitrary usernames - populate the Username field with the current users' username - this field set readonly=readonly - the onSubmit callback must sanitize the return and check wether the correct and only allowed current users' username comes back - no password throttle if user resets the own password by mail: (skip check against password throttle if user resets the own password.) - then mailing the temporary password to user(username) * (B) I also need (for OpenID) a clean way of internally sending directly a temporary password (not: e-mail confirmation, this is already implemented) to logged-in user (without the form). Such a function could be re-used by change request (A) method. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 29135] Special:PasswordReset: for logged-in users (password, OpenID, Auth): do not show input field for name, but fill-in current (own) name, and make this field readonly, disallow other names
https://bugzilla.wikimedia.org/show_bug.cgi?id=29135 T. Gries m...@tgries.de changed: What|Removed |Added Summary|Special:PasswordReset: for |Special:PasswordReset: for |logged-in users (password, |logged-in users (password, |OpenID, Auth): do not show |OpenID, Auth): do not show |input field for name, but |input field for name, but |fill-in current name and|fill-in current (own) name, |make this field readonly|and make this field ||readonly, disallow other ||names -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 29135] Special:PasswordReset: for logged-in users (password, OpenID, Auth): do not show input field for name, but fill-in current (own) name, and make this field readonly, disallow other names
https://bugzilla.wikimedia.org/show_bug.cgi?id=29135 --- Comment #4 from Chad H. innocentkil...@gmail.com 2011-05-25 21:34:53 UTC --- Dur, I was looking at ChangePassword, not PasswordReset. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 29135] Special:PasswordReset: for logged-in users (password, OpenID, Auth): do not show input field for name, but fill-in current (own) name, and make this field readonly, disallow other names
https://bugzilla.wikimedia.org/show_bug.cgi?id=29135 --- Comment #5 from T. Gries m...@tgries.de 2011-05-25 22:02:32 UTC --- Update: no password throttle if user A resets the own password (user A) by mail: check against password throttle to be skipped if user reset the own password. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
