https://bugzilla.wikimedia.org/show_bug.cgi?id=29135
--- Comment #13 from T. Gries <m...@tgries.de> 2011-06-09 12:49:11 UTC --- (In reply to comment #12) > In ordinary vanilla MediaWiki, a non-sysop User X cannot be *prevented* from > triggering password reset for User Y, because User X can simply log out and > become Nobody. Therefore there is no point in restricting access to > Special:PasswordReset from logged-in users. > Agreed, as I already said this in the introduction. > What you are describing is a special situation generated by the use of the > OpenID extension. Yes and no. Go to standard wiki and to Special:PasswordReset and you can trigger PasswordReset of Tim or Brion or Jimbo. This is unwanted. Be careful: your username will be revealed in the password mail they receive, I have tested this. (Well, as mentioned you can logoff and PasswordReset as anon) As courtesy to a logged-in user X (yes I know: user==logged-in ) and slight improvement of UI, and security, the only meaningful action is: X may only trigger PasswordReset for X . Test this live: I just have sent you a password reset mail. The next 24 hours you are blocked and cannot have a second chance Goto http://www.translatewiki.net Login as Happy-melon Goto http://translatewiki.net/wiki/Special:PasswordReset See what I mean ? You can send password resets to Brion, Tim, .... me, myself and I. Just for test purposes, I have sent you a password reset mail on 12:46 UTC. The next 24 hours you are blocked and cannot have a second chance. This hole is what I want to close. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l