Last modified: 2011-04-07 22:02:55 UTC
Maybe also give them a more friendly error message on log in.
In what scenario would this happen?
(In reply to comment #1) > In what scenario would this happen? An extension creates users and doesn't assign them passwords, then log them in with ->setCookies() or something.
(In reply to comment #2) > (In reply to comment #1) > > In what scenario would this happen? > > An extension creates users and doesn't assign them passwords, then log them in > with ->setCookies() or something. I think that that extension should then be responsible for giving the user a way to authenticate.
(In reply to comment #3) > I think that that extension should then be responsible for giving the user a > way to authenticate. But if user go to Special:Resetpass or Special:Userlogin they keep saying "incorrect password" even there can't be a "correct password".
Creating a user without creating a password is the extension's fault. user_password should *not* be empty, unless you're using an AuthPlugin or similar. Which extension is doing this?
I'm going to INVALID this, This is a issue with a extenstion compared to with MediaWiki. We don't even allow user accounts to be created without a password, the db is in NOT NULL mode for the password feild ([[User_table#Schema_summary]])
User::createNew says (in its doc) "- password The user's password. Password logins will be disabled if this is omitted.". So it's accepted that users with password login disabled exist, but this status is not reflected in Special:Resetpass and Special:Userlogin (and maybe Special:Preferences and Special:Specialpages because they give links to Special:Resetpass).
In this case (no password set on creation, no auth plugin), the user has no way to log in until a password has been set -- so they can't go to Special:ResetPass etc. The most common example of this case is user accounts created by another logged-in user, with a new password reset code sent via email. Until they log in with the reset code, they don't have a password and can't actually log in directly. If your extension is customizing authentication in order to log people in via cookies, then it needs to implement the AuthPlugin interface -- it can then tell the system that passwords don't make sense by returning false for its allowPasswordChange method(). There may be a case where you could be logged in with no local password set, but there is some way to reset local passwords, but offhand not sure.