Last modified: 2011-04-30 01:16:43 UTC
If the API is used to attempt to login, but the password used to do so is a temporary reset password, $loginForm->authenticateUserData() will return LoginForm :: RESET_PASS. The API does not handle this and falls through to the default case, returning an error. I would expect it to return a specific failure code that would indicate the use of a reset password, as suggested by the comments in SpecialUserlogin.php: // At this point we just return an appropriate code indicating // that the UI should show a password reset form; bot inter- // faces etc will probably just fail cleanly here. If it does not return a new value, it could return WrongPass, since it is not the right (normal) password. (Yes, I actually got this one, testing MediaWikiAuth.)
I think we should just silently reject temporary passwords as wrong passwords, i.e. add LoginForm::RESET_PASS as fall through to LoginForm::WRONG_PASS.
Fixed as per Bryan and SpecialUserlogin comment. r60729
